[Zope3-dev] test for security in unit tests?
Ignas Mikalajunas
ignas.mikalajunas at gmail.com
Fri Sep 29 12:12:41 EDT 2006
> Roy Mathew wrote:
> > I find that testing for security is hard, since the default user in
> > the doctests seems to have "unrestricted" access to all methods and
> > attributes. Is there a "unit-test friendly" way of faking a user
> > with a more restricted role, so that I can reproduce security errors
> > in unit tests?
>
> Are you actually talking about functional tests, instead of unit tests?
> If so, you are probably sending the "mgr:mgrpw" credentials at the
> begining of the test, you'll need to set up another non-admin user
> (probably in, or included by, ftesting.zcml or the ZCML you use for your
> test layer). Once you have that user, you can use those credentials
> instead.
>
> If you're really talking about unit tests, then "security" doesn't
> really apply: your domain objects don't generally "know" anything about
> their security, it's all mediated by Zope.
There are such methods like canAccess that can sometimes be unit
tested. I think you can use defineChecker in such cases:
>>> from zope.security.checker import defineChecker, Checker
>>> defineChecker(Calendar,
... Checker({'addEvent': 'zope.Public'},
... {'addEvent': 'zope.Public'}))
makes addEvent look like protected by zope.Public for the canAccess
function. Hope that helps.
Ignas
More information about the Zope3-dev
mailing list