[Zope-Checkins] CVS: Zope/lib/python/AccessControl/tests - testBindings.py:1.1.2.4

Tres Seaver tseaver at zope.com
Mon Jan 26 15:28:13 EST 2004


Update of /cvs-repository/Zope/lib/python/AccessControl/tests
In directory cvs.zope.org:/tmp/cvs-serv20721/lib/python/AccessControl/tests

Modified Files:
      Tag: Zope-2_6-branch
	testBindings.py 
Log Message:



  - Shared/DC/Scripts/Bindings.py:

    o Make the UnauthorizedBinding object a "spacesuit", which delegates
      protected access to its wrapped object's attributes.  Note that this
      protection may be redundant, in the (normal) case where the
      context or container are accessed from restricted code;  however,
      we need to ensure that trusted code will still lose if it gets
      a space-suited value returned (from untrusted code).

  - AccessControl/test/testBindings.py:

    o Add a test which demonstrates that restricted code can access
      protected attributes, even without any access to the context object
      itself.

    o Expand tests of "raw" container / context access, to show that
      'return context' (for instance) or 'return str(context)' cannot
      be used inappropriately.


=== Zope/lib/python/AccessControl/tests/testBindings.py 1.1.2.3 => 1.1.2.4 ===
--- Zope/lib/python/AccessControl/tests/testBindings.py:1.1.2.3	Wed Jan 21 12:08:29 2004
+++ Zope/lib/python/AccessControl/tests/testBindings.py	Mon Jan 26 15:27:41 2004
@@ -19,6 +19,8 @@
 import unittest
 import ZODB
 from Acquisition import Implicit
+from AccessControl import ClassSecurityInfo
+from Globals import InitializeClass
 from OFS.ObjectManager import ObjectManager
 from OFS.Folder import Folder
 
@@ -73,9 +75,19 @@
         return '<FauxRoot>'
 
 class FauxFolder(Folder):
+
+    security = ClassSecurityInfo()
+    securlity.declareObjectPrivate()
+
     def __repr__(self):
         return '<FauxFolder: %s>' % self.getId()
 
+    security.declarePublic('methodWithRoles')
+    def methodWithRoles(self):
+        return 'method called'
+
+InitializeClass(FauxFolder)
+
 class TestBindings(unittest.TestCase):
 
     def setUp(self):
@@ -128,12 +140,23 @@
         bound_used_context_ps = self._newPS('return context.id')
         guarded._setOb('bound_used_context_ps', bound_used_context_ps)
 
+        bound_used_context_methodWithRoles_ps = self._newPS(
+                                           'return context.methodWithRoles()')
+        guarded._setOb('bound_used_context_methodWithRoles_ps',
+                        bound_used_context_methodWithRoles_ps)
+
         container_ps = self._newPS('return container')
         guarded._setOb('container_ps', container_ps)
 
+        container_str_ps = self._newPS('return str(container)')
+        guarded._setOb('container_str_ps', container_str_ps)
+
         context_ps = self._newPS('return context')
         guarded._setOb('context_ps', context_ps)
 
+        context_str_ps = self._newPS('return str(context)')
+        guarded._setOb('context_str_ps', context_str_ps)
+
         return root
 
     def _newPS(self, txt, bind=None):
@@ -165,6 +188,10 @@
         guarded = root._getOb('guarded')
         ps = guarded._getOb('bound_used_container_ps')
         self.assertRaises(Unauthorized, ps)
+        ps = guarded._getOb('container_str_ps')
+        self.assertRaises(Unauthorized, ps)
+        ps = guarded._getOb('container_ps')
+        self.assertRaises(Unauthorized, ps)
 
     def test_bound_used_container_allowed(self):
         from AccessControl.SecurityManagement import newSecurityManager
@@ -191,6 +218,10 @@
         guarded = root._getOb('guarded')
         ps = guarded._getOb('bound_used_context_ps')
         self.assertRaises(Unauthorized, ps)
+        ps = guarded._getOb('context_str_ps')
+        self.assertRaises(Unauthorized, ps)
+        ps = guarded._getOb('context_ps')
+        self.assertRaises(Unauthorized, ps)
 
     def test_bound_used_context_allowed(self):
         from AccessControl.SecurityManagement import newSecurityManager
@@ -218,6 +249,20 @@
                                       'name_ns': '',
                                       'name_subpath': ''})
         self.assertEqual(boundless_ps(), 42)
+
+    def test_bound_used_context_method_w_roles(self):
+        from AccessControl.SecurityManagement import newSecurityManager
+        from AccessControl import Unauthorized
+        newSecurityManager(None, UnderprivilegedUser())
+        root = self._makeTree()
+        guarded = root._getOb('guarded')
+
+        # Assert that we can call a protected method, even though we have
+        # no access to the context directly.
+        ps = guarded._getOb('bound_used_context_ps')
+        self.assertRaises(Unauthorized, ps)
+        ps = guarded._getOb('bound_used_context_methodWithRoles_ps')
+        self.assertEqual(ps(), 'method called')
 
 
 def test_suite():




More information about the Zope-Checkins mailing list