[Checkins] SVN: grok/trunk/src/grok/ftests/security/preserve_permissions.py Extend this test a bit to check for ++etc++site within a grok app. It
Martijn Faassen
faassen at infrae.com
Thu Jan 8 14:32:25 EST 2009
Log message for revision 94648:
Extend this test a bit to check for ++etc++site within a grok app. It
should not be allowed.
Changed:
U grok/trunk/src/grok/ftests/security/preserve_permissions.py
-=-
Modified: grok/trunk/src/grok/ftests/security/preserve_permissions.py
===================================================================
--- grok/trunk/src/grok/ftests/security/preserve_permissions.py 2009-01-08 19:26:25 UTC (rev 94647)
+++ grok/trunk/src/grok/ftests/security/preserve_permissions.py 2009-01-08 19:32:25 UTC (rev 94648)
@@ -15,6 +15,20 @@
WWW-Authenticate: basic realm="Zope"
...
+This is also the case for views on the Grok application object::
+
+ >>> grok.testing.grok(__name__)
+ >>> from grok.ftests.security.preserve_permissions import App
+ >>> root = getRootFolder()
+ >>> root['app'] = App()
+ >>> print http(r'''
+ ... GET /app/++etc++site HTTP/1.1
+ ... ''')
+ HTTP/1.1 401 Unauthorized
+ ...
+ WWW-Authenticate: basic realm="Zope"
+ ...
+
However, if we make a grant, e.g. on the root object, we can access
the view just fine:
@@ -29,14 +43,6 @@
HTTP/1.1 200 Ok
...
-But we can still access Grok views not explicitly protected. We create
-an application and add it to the database::
-
- >>> grok.testing.grok(__name__)
- >>> from grok.ftests.security.preserve_permissions import App
- >>> root = getRootFolder()
- >>> root['app'] = App()
-
The default view is accessible::
>>> from zope.testbrowser.testing import Browser
More information about the Checkins
mailing list