[Zope3-dev] Security Testing
Steve Alexander
steve@cat-box.net
Tue, 03 Jun 2003 14:57:11 +0300
Chris Withers wrote:
> Hi,
>
> Just developing a Zope 2 product and wishign there was some easy way I
> could write tests that the security declarations I'm providing are
> having the effects that I'm expecting.
>
> As anyone who's ever written for Zope 2 will know, that ain't easy! ;-)
>
> How would I go about writing a test like this under Zope 3?
This is easiest to write as a functional test.
Functional tests read in the zcml files and act on them before running
the tests, so the security directives you have written will be acted on
in a functional test.
In your test, create an instance of your class, wrap it in a security
proxy, and then try to get its attributes. This is easy to do in the
style of a doctest:
"""Check that my security declarations work.
>>> from zope.security.checker import ProxyFactory
>>> obj = MyClass()
>>> proxy = ProxyFactory(obj)
>>> proxy.foo()
Foo!
>>> proxy.bar()
Traceback (most recent call last):
...
ForbiddenAttribute: bar
"""
You may want to functionally check how permissions interact with this.
The easiest way to do this is to install a new SecurityPolicy that you
can configure. See the test in src/zope/security/tests/test_checker.py
for an example.
It might be sufficient for your purposes to inspect the checker
associated with your objects.
"""Check that my security declarations work.
>>> from zope.security.checker import ProxyFactory, getChecker
>>> obj = MyClass()
>>> proxy = ProxyFactory(obj)
>>> c = getChecker(proxy)
>>> c.check_getattr(w, 'a')
>>> c.check_getattr(w, 'b')
Traceback (most recent call last):
...
ForbiddenAttribute: b
>>> c.check_setattr(w, 'c')
Traceback (most recent call last):
...
ForbiddenAttribute: c
"""
--
Steve Alexander