[Zope3-dev] Security Testing
Chris Withers
chrisw@nipltd.com
Tue, 03 Jun 2003 13:09:13 +0100
This sounds great :-)
thanks,
Chris
Steve Alexander wrote:
> Chris Withers wrote:
>
>> Hi,
>>
>> Just developing a Zope 2 product and wishign there was some easy way I
>> could write tests that the security declarations I'm providing are
>> having the effects that I'm expecting.
>>
>> As anyone who's ever written for Zope 2 will know, that ain't easy! ;-)
>>
>> How would I go about writing a test like this under Zope 3?
>
>
> This is easiest to write as a functional test.
>
> Functional tests read in the zcml files and act on them before running
> the tests, so the security directives you have written will be acted on
> in a functional test.
>
> In your test, create an instance of your class, wrap it in a security
> proxy, and then try to get its attributes. This is easy to do in the
> style of a doctest:
>
> """Check that my security declarations work.
>
> >>> from zope.security.checker import ProxyFactory
> >>> obj = MyClass()
> >>> proxy = ProxyFactory(obj)
>
> >>> proxy.foo()
> Foo!
> >>> proxy.bar()
> Traceback (most recent call last):
> ...
> ForbiddenAttribute: bar
> """
>
> You may want to functionally check how permissions interact with this.
> The easiest way to do this is to install a new SecurityPolicy that you
> can configure. See the test in src/zope/security/tests/test_checker.py
> for an example.
>
> It might be sufficient for your purposes to inspect the checker
> associated with your objects.
>
>
> """Check that my security declarations work.
>
> >>> from zope.security.checker import ProxyFactory, getChecker
> >>> obj = MyClass()
> >>> proxy = ProxyFactory(obj)
>
> >>> c = getChecker(proxy)
> >>> c.check_getattr(w, 'a')
>
> >>> c.check_getattr(w, 'b')
> Traceback (most recent call last):
> ...
> ForbiddenAttribute: b
> >>> c.check_setattr(w, 'c')
> Traceback (most recent call last):
> ...
> ForbiddenAttribute: c
> """
>
> --
> Steve Alexander
>
>