[Zope-Checkins] CVS: Zope/lib/python/AccessControl/tests -
testBindings.py:1.1.2.1
Tres Seaver
tseaver at zope.com
Thu Jan 8 15:20:21 EST 2004
Update of /cvs-repository/Zope/lib/python/AccessControl/tests
In directory cvs.zope.org:/tmp/cvs-serv31129/lib/python/AccessControl/tests
Added Files:
Tag: Zope-2_6-branch
testBindings.py
Log Message:
- Automatic bindings for scripts (e.g, 'context', 'container') were not
being validated before use.
=== Added File Zope/lib/python/AccessControl/tests/testBindings.py ===
##############################################################################
#
# Copyright (c) 2003 Zope Corporation and Contributors.
# All Rights Reserved.
#
# This software is subject to the provisions of the Zope Public License,
# Version 2.0 (ZPL). A copy of the ZPL should accompany this distribution.
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
# FOR A PARTICULAR PURPOSE.
#
##############################################################################
"""Test Bindings
$Id: testBindings.py,v 1.1.2.1 2004/01/08 20:20:20 tseaver Exp $
"""
import unittest
from Acquisition import Implicit
from OFS.ObjectManager import ObjectManager
from OFS.Folder import Folder
class SecurityManager:
def __init__(self, reject=0):
self.calls = []
self.reject = reject
def validate(self, *args):
from AccessControl import Unauthorized
self.calls.append(('validate', args))
if self.reject:
raise Unauthorized
return 1
def validateValue(self, *args):
from AccessControl import Unauthorized
self.calls.append(('validateValue', args))
if self.reject:
raise Unauthorized
return 1
def checkPermission(self, *args):
self.calls.append(('checkPermission', args))
return not self.reject
def addContext(self, *args):
self.calls.append(('addContext', args))
return 1
def removeContext(self, *args):
self.calls.append(('removeContext', args))
return 1
class UnderprivilegedUser:
def getId(self):
return 'underprivileged'
def allowed(self, object, object_roles=None):
return 0
class RivilegedUser:
def getId(self):
return 'privileged'
def allowed(self, object, object_roles=None):
return 1
class FauxRoot(ObjectManager):
def __repr__(self):
return '<FauxRoot>'
class FauxFolder(Folder):
def __repr__(self):
return '<FauxFolder: %s>' % self.getId()
class TestBindings(unittest.TestCase):
def setUp(self):
from Testing.ZODButil import makeDB
get_transaction().begin()
self.connection = makeDB().open()
def tearDown(self):
from Testing.ZODButil import cleanDB
from AccessControl.SecurityManagement import noSecurityManager
noSecurityManager()
get_transaction().abort()
self.connection.close()
cleanDB()
def _getRoot(self):
from Testing.makerequest import makerequest
#true_root = self.connection.root()[ 'Application' ]
#true_root = self.connection.root()
#return makerequest(true_root)
return makerequest(FauxRoot())
def _makeTree(self):
root = self._getRoot()
guarded = FauxFolder()
guarded._setId('guarded')
guarded.__roles__ = ( 'Manager', )
root._setOb('guarded', guarded)
guarded = root._getOb('guarded')
open = FauxFolder()
open._setId('open')
open.__roles__ = ( 'Anonymous', )
guarded._setOb('open', open)
container_ps = self._newPS('return container')
guarded._setOb('container_ps', container_ps)
context_ps = self._newPS('return context')
guarded._setOb('context_ps', context_ps)
return root
def _newPS(self, txt, bind=None):
from Products.PythonScripts.PythonScript import PythonScript
ps = PythonScript('ps')
#ps.ZBindings_edit(bind or {})
ps.write(txt)
ps._makeFunction()
return ps
def test_fail_container(self):
from AccessControl.SecurityManagement import newSecurityManager
from AccessControl import Unauthorized
newSecurityManager(None, UnderprivilegedUser())
root = self._makeTree()
guarded = root._getOb('guarded')
container_ps = guarded._getOb('container_ps')
self.assertRaises(Unauthorized, container_ps)
def test_fail_context(self):
from AccessControl.SecurityManagement import newSecurityManager
from AccessControl import Unauthorized
newSecurityManager(None, UnderprivilegedUser())
root = self._makeTree()
guarded = root._getOb('guarded')
open = guarded._getOb('open')
context_ps = open.unrestrictedTraverse('context_ps')
#
# Note that we are raising here even though our context ('open')
# would be allowed, because the default bindings include our
# container ('guarded') which isn't.
#
self.assertRaises(Unauthorized, context_ps)
def test_ok_no_bindings(self):
from AccessControl.SecurityManagement import newSecurityManager
newSecurityManager(None, UnderprivilegedUser())
root = self._makeTree()
guarded = root._getOb('guarded')
boundless_ps = self._newPS('return 42')
guarded._setOb('boundless_ps', boundless_ps)
boundless_ps = guarded._getOb('boundless_ps')
#
# Clear the bindings, so that the script may execute.
#
boundless_ps.ZBindings_edit( {'name_context': '',
'name_container': '',
'name_m_self': '',
'name_ns': '',
'name_subpath': ''})
self.assertEqual(boundless_ps(), 42)
def test_suite():
suite = unittest.TestSuite()
suite.addTest(unittest.makeSuite(TestBindings))
return suite
if __name__ == '__main__':
unittest.main()
More information about the Zope-Checkins
mailing list