[Zope-Checkins] SVN: Zope/branches/hannosch-dtml-vs-accesscontrol/src/ Move testSecurity which only deals with DTML

Hanno Schlichting hannosch at hannosch.eu
Sun May 16 14:39:24 EDT 2010


Log message for revision 112377:
  Move testSecurity which only deals with DTML
  

Changed:
  D   Zope/branches/hannosch-dtml-vs-accesscontrol/src/AccessControl/tests/testSecurity.py
  A   Zope/branches/hannosch-dtml-vs-accesscontrol/src/DocumentTemplate/tests/testSecurity.py

-=-
Deleted: Zope/branches/hannosch-dtml-vs-accesscontrol/src/AccessControl/tests/testSecurity.py
===================================================================
--- Zope/branches/hannosch-dtml-vs-accesscontrol/src/AccessControl/tests/testSecurity.py	2010-05-16 18:37:14 UTC (rev 112376)
+++ Zope/branches/hannosch-dtml-vs-accesscontrol/src/AccessControl/tests/testSecurity.py	2010-05-16 18:39:24 UTC (rev 112377)
@@ -1,122 +0,0 @@
-##############################################################################
-#
-# Copyright (c) 2002 Zope Foundation and Contributors.
-#
-# This software is subject to the provisions of the Zope Public License,
-# Version 2.1 (ZPL).  A copy of the ZPL should accompany this distribution.
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
-# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
-# FOR A PARTICULAR PURPOSE
-#
-##############################################################################
-"""Document Template Tests
-"""
-
-__rcs_id__='$Id$'
-__version__='$Revision: 1.13 $'[11:-2]
-
-import os, sys, unittest
-
-import ZODB
-from DocumentTemplate import HTML
-from DocumentTemplate.tests.testDTML import DTMLTests
-from Products.PythonScripts.standard import DTML
-from AccessControl import User, Unauthorized
-from ExtensionClass import Base
-
-class UnownedDTML(DTML):
-    def getOwner(self):
-        return None
-
-class SecurityTests (DTMLTests):
-    doc_class = UnownedDTML
-    unrestricted_doc_class = HTML
-
-    def testNoImplicitAccess(self):
-        class person:
-            name='Jim'
-
-        doc = self.doc_class(
-            '<dtml-with person>Hi, my name is '
-            '<dtml-var name></dtml-with>')
-        try:
-            doc(person=person())
-        except Unauthorized:
-            # Passed the test.
-            pass
-        else:
-            assert 0, 'Did not protect class instance'
-
-    def testExprExplicitDeny(self):
-        class myclass (Base):
-            __roles__ = None  # Public
-            somemethod__roles__ = ()  # Private
-            def somemethod(self):
-                return "This is a protected operation of public object"
-
-        html = self.doc_class('<dtml-var expr="myinst.somemethod()">')
-        self.failUnlessRaises(Unauthorized, html, myinst=myclass())
-
-    def testSecurityInSyntax(self):
-        # Ensures syntax errors are thrown for an expr with restricted
-        # syntax.
-        expr = '<dtml-var expr="(lambda x, _read=(lambda ob:ob): x.y)(c)">'
-        try:
-            # This would be a security hole.
-            html = self.doc_class(expr)  # It might compile here...
-            html()                       # or it might compile here.
-        except SyntaxError:
-            # Passed the test.
-            pass
-        else:
-            assert 0, 'Did not catch bad expr'
-        # Now be sure the syntax error occurred for security purposes.
-        html = self.unrestricted_doc_class(expr)
-        class c:
-            y = 10
-        res = html(c=c)
-        assert res == '10', res
-
-    def testNewDTMLBuiltins(self):
-
-        NEW_BUILTINS_TEMPLATE = """
-        <dtml-var expr="_.min([1,2])">
-        <dtml-var expr="_.max([2,3])">
-        <dtml-var expr="_.sum([1,2,3,4])">
-        <dtml-var expr="_.hasattr(1, 'foo') and 'Yes' or 'No'">
-        <dtml-var expr="_.None">
-        <dtml-var expr="_.string.strip(' testing ')">
-        <dtml-var expr="[x for x in (1, 2, 3)]">
-        """
-
-        EXPECTED = ['1', '3', '10', 'No', 'None', 'testing', '[1, 2, 3]']
-
-        #
-        #   XXX:    these expressions seem like they should work, with
-        #           the following ExPECTED, but they raise Unauthorized
-        #           on the 'next' name.
-        #
-        #<dtml-var expr="_.iter([1,2,3]).next()">
-        #<dtml-var expr="_.enumerate([1,2,3]).next()">
-        #
-        #EXPECTED = ['1', '3', '10', '1', '(0, 1)']
-
-        template = self.doc_class(NEW_BUILTINS_TEMPLATE)
-        res = template()
-        lines = filter(None, [x.strip() for x in res.split('\n')])
-
-        self.assertEqual(lines, EXPECTED)
-
-    # Note: we need more tests!
-
-def test_suite():
-    suite = unittest.TestSuite()
-    suite.addTest( unittest.makeSuite( SecurityTests ) )
-    return suite
-
-def main():
-    unittest.TextTestRunner().run(test_suite())
-
-if __name__ == '__main__':
-    main()

Copied: Zope/branches/hannosch-dtml-vs-accesscontrol/src/DocumentTemplate/tests/testSecurity.py (from rev 112374, Zope/branches/hannosch-dtml-vs-accesscontrol/src/AccessControl/tests/testSecurity.py)
===================================================================
--- Zope/branches/hannosch-dtml-vs-accesscontrol/src/DocumentTemplate/tests/testSecurity.py	                        (rev 0)
+++ Zope/branches/hannosch-dtml-vs-accesscontrol/src/DocumentTemplate/tests/testSecurity.py	2010-05-16 18:39:24 UTC (rev 112377)
@@ -0,0 +1,112 @@
+##############################################################################
+#
+# Copyright (c) 2002 Zope Foundation and Contributors.
+#
+# This software is subject to the provisions of the Zope Public License,
+# Version 2.1 (ZPL).  A copy of the ZPL should accompany this distribution.
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
+# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
+# FOR A PARTICULAR PURPOSE
+#
+##############################################################################
+"""Document Template Tests
+"""
+
+import unittest
+
+from DocumentTemplate import HTML
+from DocumentTemplate.tests.testDTML import DTMLTests
+from Products.PythonScripts.standard import DTML
+from AccessControl import Unauthorized
+from ExtensionClass import Base
+
+class UnownedDTML(DTML):
+    def getOwner(self):
+        return None
+
+class SecurityTests (DTMLTests):
+    doc_class = UnownedDTML
+    unrestricted_doc_class = HTML
+
+    def testNoImplicitAccess(self):
+        class person:
+            name='Jim'
+
+        doc = self.doc_class(
+            '<dtml-with person>Hi, my name is '
+            '<dtml-var name></dtml-with>')
+        try:
+            doc(person=person())
+        except Unauthorized:
+            # Passed the test.
+            pass
+        else:
+            assert 0, 'Did not protect class instance'
+
+    def testExprExplicitDeny(self):
+        class myclass (Base):
+            __roles__ = None  # Public
+            somemethod__roles__ = ()  # Private
+            def somemethod(self):
+                return "This is a protected operation of public object"
+
+        html = self.doc_class('<dtml-var expr="myinst.somemethod()">')
+        self.failUnlessRaises(Unauthorized, html, myinst=myclass())
+
+    def testSecurityInSyntax(self):
+        # Ensures syntax errors are thrown for an expr with restricted
+        # syntax.
+        expr = '<dtml-var expr="(lambda x, _read=(lambda ob:ob): x.y)(c)">'
+        try:
+            # This would be a security hole.
+            html = self.doc_class(expr)  # It might compile here...
+            html()                       # or it might compile here.
+        except SyntaxError:
+            # Passed the test.
+            pass
+        else:
+            assert 0, 'Did not catch bad expr'
+        # Now be sure the syntax error occurred for security purposes.
+        html = self.unrestricted_doc_class(expr)
+        class c:
+            y = 10
+        res = html(c=c)
+        assert res == '10', res
+
+    def testNewDTMLBuiltins(self):
+
+        NEW_BUILTINS_TEMPLATE = """
+        <dtml-var expr="_.min([1,2])">
+        <dtml-var expr="_.max([2,3])">
+        <dtml-var expr="_.sum([1,2,3,4])">
+        <dtml-var expr="_.hasattr(1, 'foo') and 'Yes' or 'No'">
+        <dtml-var expr="_.None">
+        <dtml-var expr="_.string.strip(' testing ')">
+        <dtml-var expr="[x for x in (1, 2, 3)]">
+        """
+
+        EXPECTED = ['1', '3', '10', 'No', 'None', 'testing', '[1, 2, 3]']
+
+        #
+        #   XXX:    these expressions seem like they should work, with
+        #           the following ExPECTED, but they raise Unauthorized
+        #           on the 'next' name.
+        #
+        #<dtml-var expr="_.iter([1,2,3]).next()">
+        #<dtml-var expr="_.enumerate([1,2,3]).next()">
+        #
+        #EXPECTED = ['1', '3', '10', '1', '(0, 1)']
+
+        template = self.doc_class(NEW_BUILTINS_TEMPLATE)
+        res = template()
+        lines = filter(None, [x.strip() for x in res.split('\n')])
+
+        self.assertEqual(lines, EXPECTED)
+
+    # Note: we need more tests!
+
+def test_suite():
+    suite = unittest.TestSuite()
+    suite.addTest(unittest.makeSuite(SecurityTests))
+    return suite



More information about the Zope-Checkins mailing list