[Zope-Checkins] CVS: Zope3/lib/python/Zope/App/Security/tests - testSecurityDirectives.py:1.5 testZSP.py:1.4
Jim Fulton
jim@zope.com
Tue, 2 Jul 2002 15:48:40 -0400
Update of /cvs-repository/Zope3/lib/python/Zope/App/Security/tests
In directory cvs.zope.org:/tmp/cvs-serv3863/lib/python/Zope/App/Security/tests
Modified Files:
testSecurityDirectives.py testZSP.py
Log Message:
Added a utility function in the ZopeSecurityPolicy module to get the
permissions held by a principal. This is needed to implement the
granting policy described in
http://dev.zope.org/Wikis/DevSite/Projects/ComponentArchitecture/Zope3SecurityModel
Also removed the special security settings "Assign" and "Remove" and
switched code to the "Allow" and "Deny" instead.
=== Zope3/lib/python/Zope/App/Security/tests/testSecurityDirectives.py 1.4 => 1.5 ===
import Zope.App.Security
-from Zope.App.Security.Settings import Allow, Deny, Unset, Remove, Assign
+from Zope.App.Security.Settings import Allow, Deny
from Zope.App.Security.Registries.PrincipalRegistry import principalRegistry
from Zope.App.Security.Registries.PermissionRegistry \
import permissionRegistry as pregistry
@@ -209,10 +209,10 @@
roles = principal_role_mgr.getRolesForPrincipal("Bar")
self.assertEqual(len( principals ), 1)
- self.failUnless(("Bar",Assign) in principals)
+ self.failUnless(("Bar",Allow) in principals)
self.assertEqual(len( roles ), 1)
- self.failUnless(("Foo",Assign) in roles)
+ self.failUnless(("Foo",Allow) in roles)
def test_suite():
suite = unittest.TestSuite()
=== Zope3/lib/python/Zope/App/Security/tests/testZSP.py 1.3 => 1.4 ===
from Zope.App.OFS.Services.ServiceManager.tests.PlacefulSetup\
import PlacefulSetup
+from Zope.App.Security.ZopeSecurityPolicy import permissionsOfPrincipal
class Context:
def __init__(self, user, stack=[]):
@@ -133,17 +134,31 @@
self.policy.checkPermission(
self.read, None, Context(self.unknown)))
+ self.__assertPermissions(self.jim, ['read'])
+ self.__assertPermissions(self.tim, ['read', 'write'])
+ self.__assertPermissions(self.unknown, [])
+
rolePermissionManager.grantPermissionToRole(self.read, 'Anonymous')
self.failUnless(
self.policy.checkPermission(
self.read, None, Context(self.unknown)))
+ self.__assertPermissions(self.unknown, ['read'])
+
principalPermissionManager.grantPermissionToPrincipal(
self.write, self.jim)
self.failUnless(
self.policy.checkPermission(self.write, None, Context(self.jim)))
+ self.__assertPermissions(self.jim, ['read', 'write'])
+
+ def __assertPermissions(self, user, expected, object=None):
+ permissions = list(permissionsOfPrincipal(user, object))
+ permissions.sort()
+ self.assertEqual(permissions, expected)
+
+
def testPlayfulRolePermissions(self):
ARPM = AnnotationRolePermissionManager
@@ -159,21 +174,34 @@
ob = ContextWrapper(ob3, ContextWrapper(ob2, ob1))
self.failIf(self.policy.checkPermission(test, ob, Context(self.tim)))
+ self.__assertPermissions(self.tim, ['read', 'write'], ob)
+
ARPM(ob2).grantPermissionToRole(test, self.manager)
self.failUnless(self.policy.checkPermission(test, ob,
Context(self.tim)))
+ self.__assertPermissions(self.tim, ['read', 'test', 'write'], ob)
self.failIf(self.policy.checkPermission(test, ob, Context(self.jim)))
+ self.__assertPermissions(self.jim, ['read'], ob)
+
+
ARPM(ob3).grantPermissionToRole(test, self.peon)
self.failUnless(self.policy.checkPermission(
test, ob, Context(self.jim)))
+ self.__assertPermissions(self.jim, ['read', 'test'], ob)
+
+
+
# Make sure global principal permissions override placeful role perms
principalPermissionManager.denyPermissionToPrincipal(
test, self.jim)
self.failIf(self.policy.checkPermission(
test, ob, Context(self.jim)))
+ self.__assertPermissions(self.jim, ['read'], ob)
+
principalPermissionManager.unsetPermissionForPrincipal(
test, self.jim)
+
# Make sure multiple conflicting role permissions resolve correctly
ARPM(ob2).grantPermissionToRole(test, 'Anonymous')
ARPM(ob2).grantPermissionToRole(test, self.arole)
@@ -184,8 +212,11 @@
new = new.getId()
principalRoleManager.assignRoleToPrincipal(self.arole, new)
self.failUnless(self.policy.checkPermission(test, ob, Context(new)))
+ self.__assertPermissions(new, ['test'], ob)
+
principalRoleManager.assignRoleToPrincipal(self.peon, new)
self.failIf(self.policy.checkPermission(test, ob, Context(new)))
+ self.__assertPermissions(new, ['read'], ob)
def testPlayfulPrinciplePermissions(self):
APPM = AnnotationPrincipalPermissionManager
@@ -201,25 +232,40 @@
ob = ContextWrapper(ob3, ContextWrapper(ob2, ob1))
self.failIf(self.policy.checkPermission(test, ob, Context(self.tim)))
+
+ self.__assertPermissions(self.tim, ['read', 'write'], ob)
+
APPM(ob2).grantPermissionToPrincipal(test, self.tim)
self.failUnless(self.policy.checkPermission(test, ob,
Context(self.tim)))
+ self.__assertPermissions(self.tim, ['read', 'test', 'write'], ob)
+
APPM(ob3).denyPermissionToPrincipal(test, self.tim)
self.failIf(self.policy.checkPermission(test, ob,
Context(self.tim)))
+ self.__assertPermissions(self.tim, ['read', 'write'], ob)
+
APPM(ob1).denyPermissionToPrincipal(test, self.jim)
APPM(ob3).grantPermissionToPrincipal(test, self.jim)
self.failUnless(self.policy.checkPermission(test, ob,
Context(self.jim)))
+ self.__assertPermissions(self.jim, ['read', 'test'], ob)
+
+
APPM(ob3).unsetPermissionForPrincipal(test, self.jim)
self.failIf(self.policy.checkPermission(test, ob,
Context(self.jim)))
+ self.__assertPermissions(self.jim, ['read'], ob)
+
# make sure placeful principal permissions override global ones
APPM(ob).grantPermissionToPrincipal(test, self.tim)
principalPermissionManager.denyPermissionToPrincipal(
test, self.tim)
self.failUnless(self.policy.checkPermission(test, ob,
Context(self.tim)))
+
+ self.__assertPermissions(self.tim, ['read', 'test', 'write'], ob)
+
principalPermissionManager.unsetPermissionForPrincipal(
test, self.tim)