[Checkins] SVN: grok/branches/sylvain-testlayers/src/grok/ftests/security/preserve_permissions.py Fix security test where we verify non-Grok views aren't opened.
Martijn Faassen
faassen at startifact.com
Tue Apr 27 10:55:29 EDT 2010
Log message for revision 111484:
Fix security test where we verify non-Grok views aren't opened.
Changed:
U grok/branches/sylvain-testlayers/src/grok/ftests/security/preserve_permissions.py
-=-
Modified: grok/branches/sylvain-testlayers/src/grok/ftests/security/preserve_permissions.py
===================================================================
--- grok/branches/sylvain-testlayers/src/grok/ftests/security/preserve_permissions.py 2010-04-27 14:19:36 UTC (rev 111483)
+++ grok/branches/sylvain-testlayers/src/grok/ftests/security/preserve_permissions.py 2010-04-27 14:55:28 UTC (rev 111484)
@@ -3,6 +3,29 @@
Permissions already set by non-grok components are preserved by the
Grok publisher.
+Let's first define a ``@@contents.html`` that is protected by a Zope
+permission, ``zope.ManageContent``::
+
+ >>> from zope.publisher.browser import BrowserPage
+ >>> class Contents(BrowserPage):
+ ... def __init__(self, context, request):
+ ... self.context = context
+ ... self.request = request
+ ... def __call__(self):
+ ... return "Contents called"
+ >>> from zope import component
+ >>> from zope.interface import Interface
+ >>> from zope.publisher.interfaces.browser import IBrowserRequest
+ >>> component.provideAdapter(Contents,
+ ... adapts=(Interface, IBrowserRequest),
+ ... provides=Interface,
+ ... name='contents.html')
+ >>> from zope.security.checker import Checker, defineChecker
+ >>> required = {}
+ >>> required['__call__'] = 'zope.ManageContent'
+ >>> required['browserDefault'] = 'zope.ManageContent'
+ >>> defineChecker(Contents, Checker(required))
+
The `@@contents.html` view of folders is protected by
`zope.ManageContent` and should not be visible to unauthenticated
users. Instead we are asked to authenticate ourselves::
@@ -12,31 +35,14 @@
... ''')
HTTP/1.0 401 Unauthorized
...
- WWW-Authenticate: basic realm="Zope"
- ...
-This is also the case for views on the Grok application object::
+Let's test this in the context of a Grok application:
>>> grok.testing.grok(__name__)
>>> from grok.ftests.security.preserve_permissions import App
>>> root = getRootFolder()
>>> root['app'] = App()
- >>> print http(r'''
- ... GET /app/++etc++site HTTP/1.1
- ... ''')
- HTTP/1.0 401 Unauthorized
- ...
- WWW-Authenticate: basic realm="Zope"
- ...
-We can allow our application to be viewed by the Zope standard
-``contents.html`` view for site folders. For this we make it provide
-`ISiteManagementFolder`::
-
- >>> from zope.site.interfaces import ISiteManagementFolder
- >>> from zope.interface import alsoProvides
- >>> alsoProvides(root['app'], ISiteManagementFolder)
-
Now there is a ``contents.html`` view available for our application,
which is protected by default::
More information about the checkins
mailing list