1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
|
#
# Tests content security
#
import os, sys
if __name__ == '__main__':
execfile(os.path.join(sys.path[0], 'framework.py'))
from Products.CMFPlone.tests import PloneTestCase
from AccessControl import Unauthorized
from Acquisition import aq_base
class TestContentSecurity(PloneTestCase.PloneTestCase):
def afterSetUp(self):
self.portal.acl_users._doAddUser('user1', 'secret', ['Member'], [])
self.portal.acl_users._doAddUser('user2', 'secret', ['Member'], [])
#_ender_'s member who's not a Member usecase
self.portal.acl_users._doAddUser('user3', 'secret', [], [])
self.membership = self.portal.portal_membership
self.workflow= self.portal.portal_workflow
self.createMemberarea('user1')
self.createMemberarea('user2')
def testCreateMemberContent(self):
self.login('user1')
folder = self.membership.getHomeFolder('user1')
folder.invokeFactory('Document', id='new')
self.failUnless(hasattr(aq_base(folder), 'new'))
def testCreateOtherMemberContentFails(self):
self.login('user1')
folder = self.membership.getHomeFolder('user2')
self.assertRaises(Unauthorized, folder.invokeFactory, 'Document', 'new')
def testCreateRootContentFails(self):
self.login('user1')
self.assertRaises(Unauthorized, self.portal.invokeFactory, 'Document', 'new')
def testDeleteMemberContent(self):
self.login('user1')
folder = self.membership.getHomeFolder('user1')
folder.invokeFactory('Document', id='new')
folder.manage_delObjects(['new'])
self.failIf(hasattr(aq_base(folder), 'new'))
def testDeleteOtherMemberContent(self):
self.login('user1')
folder = self.membership.getHomeFolder('user1')
folder.invokeFactory('Document', id='new')
self.login('user2')
folder = self.membership.getHomeFolder('user1')
self.assertRaises(Unauthorized, folder.manage_delObjects, ['new'])
def testCreateWithLocalRole(self):
self.login('user1')
folder = self.membership.getHomeFolder('user1')
folder.manage_addLocalRoles('user2', ('Owner',))
self.login('user2')
# This will raise Unauthorized if the role is not set
folder.invokeFactory('Document', id='new')
def testCreateFailsWithLocalRoleBlocked(self):
# Ensure that local role blocking works for blocking content creation
self.login('user1')
folder = self.membership.getHomeFolder('user1')
folder.manage_addLocalRoles('user2', ('Owner',))
folder.invokeFactory('Folder', id='subfolder')
#Turn off local role acquisition
folder.subfolder.folder_localrole_set(use_acquisition=0)
self.login('user2')
# This should now raise Unauthorized
self.assertRaises(Unauthorized, folder.subfolder.invokeFactory, 'Document', 'new')
def testCreateSucceedsWithLocalRoleBlockedInParentButAssingedInSubFolder(self):
# Make sure that blocking a acquisition in a folder does not interfere
# with assigning a role in subfolders
self.login('user1')
folder = self.membership.getHomeFolder('user1')
folder.manage_addLocalRoles('user2', ('Owner',))
folder.invokeFactory('Folder', id='subfolder')
subfolder = folder.subfolder
#Turn off local role acquisition
subfolder.folder_localrole_set(use_acquisition=0)
subfolder.invokeFactory('Folder', id='subsubfolder')
subfolder.subsubfolder.manage_addLocalRoles('user2', ('Owner',))
self.login('user2')
# This should not raise Unauthorized
subfolder.subsubfolder.invokeFactory('Document', id='new')
def testViewAllowedOnContentInAcquisitionBlockedFolder(self):
# Test for http://dev.plone.org/plone/ticket/4055 which seems to be
# invalid
self.login('user1')
folder = self.membership.getHomeFolder('user1')
folder.manage_addLocalRoles('user2', ('Owner',))
folder.invokeFactory('Folder', id='subfolder')
subfolder = folder.subfolder
subfolder.folder_localrole_set(use_acquisition=0)
#Turn off local role acquisition
subfolder.invokeFactory('Document', id='new')
subfolder.new.content_status_modify(workflow_action='publish')
subfolder.new.manage_addLocalRoles('user2', ('Member',))
self.login('user2')
# This should not raise Unauthorized
subfolder.new.base_view()
def testViewAllowedOnContentInPrivateFolder(self):
self.login('user1')
folder = self.membership.getHomeFolder('user1')
folder.content_status_modify(workflow_action='private')
folder.invokeFactory('Document', id='doc1')
doc = folder.doc1
doc.content_status_modify(workflow_action='publish')
doc.manage_addLocalRoles('user2', ('Owner',))
self.login('user2')
# This should not raise Unauthorized
doc.base_view()
# Neither should anonymous
self.logout()
doc.base_view()
def testViewAllowedOnContentInAcquisitionBlockedFolderWithCustomWorkflow(self):
# Another test for http://dev.plone.org/plone/ticket/4055
# using a paired down version of the custom workflow described therein
# 'Access contents information' must be enabled for Authenticated/
# Anonymous on folders for even simple actions to evaluate properly.
# Create more private workflow starting with folder_workflow
wf = self.portal.portal_workflow.folder_workflow
visible = wf.states.visible
visible.setPermission('View',0,('Manager','Owner'))
visible.setPermission('Modify portal content',0,('Manager','Owner'))
# Then plone workflow
p_wf = self.portal.portal_workflow.plone_workflow
published = p_wf.states.published
published.setPermission('View',0,('Manager','Member','Owner'))
published.setPermission('Access contents information',0,('Manager','Member','Owner'))
published.setPermission('Modify portal content',0,('Manager','Member','Owner'))
self.portal.portal_workflow.updateRoleMappings()
self.login('user1')
folder = self.membership.getHomeFolder('user1')
folder.manage_addLocalRoles('user2', ('Member',))
folder.invokeFactory('Folder', id='subfolder')
subfolder = folder.subfolder
subfolder.folder_localrole_set(use_acquisition=0)
subfolder.invokeFactory('Document', id='new')
subfolder.new.content_status_modify(workflow_action='publish')
subfolder.new.manage_addLocalRoles('user3', ('Member',))
self.login('user3')
# This shouldn't either, but strangely it never does even if the script
# below, which is called in here, does. What is wrong here?
try:
subfolder.new.base_view()
except Unauthorized:
self.fail("Could not access base_view on 'new'")
# This should not raise Unauthorized
try:
subfolder.new.getAddableTypesInMenu(('Page','Smart Folder'))
except Unauthorized:
self.fail("Could not access getAddableTypesInMenu on 'new'")
def test_suite():
from unittest import TestSuite, makeSuite
suite = TestSuite()
suite.addTest(makeSuite(TestContentSecurity))
return suite
if __name__ == '__main__':
framework()
|
