Mercurial > p > roundup > code
comparison test/test_cgi.py @ 4310:8e0d350ce644
Proper handling of 'Create' permissions in both mail gateway...
...(earlier commit 2009-12-07 00:13:27!richard@users.sourceforge.net
by Richard) and web interface, this used to check 'Edit' permission
previously. See
http://thread.gmane.org/gmane.comp.bug-tracking.roundup.devel/5133
Add regression tests for proper handling of 'Create' and 'Edit'
permissions.
| author | Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net> |
|---|---|
| date | Mon, 21 Dec 2009 12:00:57 +0000 |
| parents | 966592263fb8 |
| children | 261c9f913ff7 |
comparison
equal
deleted
inserted
replaced
| 4309:4ce71b5480a8 | 4310:8e0d350ce644 |
|---|---|
| 618 # XXX test all default permissions | 618 # XXX test all default permissions |
| 619 def _make_client(self, form, classname='user', nodeid='1', userid='2'): | 619 def _make_client(self, form, classname='user', nodeid='1', userid='2'): |
| 620 cl = client.Client(self.instance, None, {'PATH_INFO':'/', | 620 cl = client.Client(self.instance, None, {'PATH_INFO':'/', |
| 621 'REQUEST_METHOD':'POST'}, makeForm(form)) | 621 'REQUEST_METHOD':'POST'}, makeForm(form)) |
| 622 cl.classname = 'user' | 622 cl.classname = 'user' |
| 623 cl.nodeid = nodeid | 623 if nodeid is not None: |
| 624 cl.nodeid = nodeid | |
| 624 cl.db = self.db | 625 cl.db = self.db |
| 625 cl.userid = userid | 626 cl.userid = userid |
| 626 cl.language = ('en',) | 627 cl.language = ('en',) |
| 628 cl.error_message = [] | |
| 629 cl.template = 'item' | |
| 627 return cl | 630 return cl |
| 628 | 631 |
| 629 def testClassPermission(self): | 632 def testClassPermission(self): |
| 630 cl = self._make_client(dict(username='bob')) | 633 cl = self._make_client(dict(username='bob')) |
| 631 self.failUnlessRaises(exceptions.Unauthorised, | 634 self.failUnlessRaises(exceptions.Unauthorised, |
| 634 self.assertRaises(exceptions.Unauthorised, | 637 self.assertRaises(exceptions.Unauthorised, |
| 635 actions.EditItemAction(cl).handle) | 638 actions.EditItemAction(cl).handle) |
| 636 | 639 |
| 637 def testCheckAndPropertyPermission(self): | 640 def testCheckAndPropertyPermission(self): |
| 638 self.db.security.permissions = {} | 641 self.db.security.permissions = {} |
| 639 def own_record(db, userid, itemid): return userid == itemid | 642 def own_record(db, userid, itemid): |
| 643 return userid == itemid | |
| 640 p = self.db.security.addPermission(name='Edit', klass='user', | 644 p = self.db.security.addPermission(name='Edit', klass='user', |
| 641 check=own_record, properties=("password", )) | 645 check=own_record, properties=("password", )) |
| 642 self.db.security.addPermissionToRole('User', p) | 646 self.db.security.addPermissionToRole('User', p) |
| 643 | 647 |
| 644 cl = self._make_client(dict(username='bob')) | 648 cl = self._make_client(dict(username='bob')) |
| 645 self.assertRaises(exceptions.Unauthorised, | 649 self.assertRaises(exceptions.Unauthorised, |
| 646 actions.EditItemAction(cl).handle) | 650 actions.EditItemAction(cl).handle) |
| 651 cl = self._make_client(dict(roles='User,Admin'), userid='4', nodeid='4') | |
| 652 self.assertRaises(exceptions.Unauthorised, | |
| 653 actions.EditItemAction(cl).handle) | |
| 654 cl = self._make_client(dict(roles='User,Admin'), userid='4') | |
| 655 self.assertRaises(exceptions.Unauthorised, | |
| 656 actions.EditItemAction(cl).handle) | |
| 657 cl = self._make_client(dict(roles='User,Admin')) | |
| 658 self.assertRaises(exceptions.Unauthorised, | |
| 659 actions.EditItemAction(cl).handle) | |
| 660 # working example, mary may change her pw | |
| 661 cl = self._make_client({'password':'ob', '@confirm@password':'ob'}, | |
| 662 nodeid='4', userid='4') | |
| 663 self.assertRaises(exceptions.Redirect, | |
| 664 actions.EditItemAction(cl).handle) | |
| 647 cl = self._make_client({'password':'bob', '@confirm@password':'bob'}) | 665 cl = self._make_client({'password':'bob', '@confirm@password':'bob'}) |
| 648 self.failUnlessRaises(exceptions.Unauthorised, | 666 self.failUnlessRaises(exceptions.Unauthorised, |
| 667 actions.EditItemAction(cl).handle) | |
| 668 | |
| 669 def testCreatePermission(self): | |
| 670 # this checks if we properly differentiate between create and | |
| 671 # edit permissions | |
| 672 self.db.security.permissions = {} | |
| 673 self.db.security.addRole(name='UserAdd') | |
| 674 # Don't allow roles | |
| 675 p = self.db.security.addPermission(name='Create', klass='user', | |
| 676 properties=("username", "password", "address", | |
| 677 "alternate_address", "realname", "phone", "organisation", | |
| 678 "timezone")) | |
| 679 self.db.security.addPermissionToRole('UserAdd', p) | |
| 680 # Don't allow roles *and* don't allow username | |
| 681 p = self.db.security.addPermission(name='Edit', klass='user', | |
| 682 properties=("password", "address", "alternate_address", | |
| 683 "realname", "phone", "organisation", "timezone")) | |
| 684 self.db.security.addPermissionToRole('UserAdd', p) | |
| 685 self.db.user.set('4', roles='UserAdd') | |
| 686 | |
| 687 # anonymous may not | |
| 688 cl = self._make_client({'username':'new_user', 'password':'secret', | |
| 689 '@confirm@password':'secret', 'address':'new_user@bork.bork', | |
| 690 'roles':'Admin'}, nodeid=None, userid='2') | |
| 691 self.assertRaises(exceptions.Unauthorised, | |
| 692 actions.NewItemAction(cl).handle) | |
| 693 # Don't allow creating new user with roles | |
| 694 cl = self._make_client({'username':'new_user', 'password':'secret', | |
| 695 '@confirm@password':'secret', 'address':'new_user@bork.bork', | |
| 696 'roles':'Admin'}, nodeid=None, userid='4') | |
| 697 self.assertRaises(exceptions.Unauthorised, | |
| 698 actions.NewItemAction(cl).handle) | |
| 699 self.assertEqual(cl.error_message,[]) | |
| 700 # this should work | |
| 701 cl = self._make_client({'username':'new_user', 'password':'secret', | |
| 702 '@confirm@password':'secret', 'address':'new_user@bork.bork'}, | |
| 703 nodeid=None, userid='4') | |
| 704 self.assertRaises(exceptions.Redirect, | |
| 705 actions.NewItemAction(cl).handle) | |
| 706 self.assertEqual(cl.error_message,[]) | |
| 707 # don't allow changing (my own) username (in this example) | |
| 708 cl = self._make_client(dict(username='new_user42'), userid='4') | |
| 709 self.assertRaises(exceptions.Unauthorised, | |
| 710 actions.EditItemAction(cl).handle) | |
| 711 cl = self._make_client(dict(username='new_user42'), userid='4', | |
| 712 nodeid='4') | |
| 713 self.assertRaises(exceptions.Unauthorised, | |
| 714 actions.EditItemAction(cl).handle) | |
| 715 # don't allow changing (my own) roles | |
| 716 cl = self._make_client(dict(roles='User,Admin'), userid='4', | |
| 717 nodeid='4') | |
| 718 self.assertRaises(exceptions.Unauthorised, | |
| 719 actions.EditItemAction(cl).handle) | |
| 720 cl = self._make_client(dict(roles='User,Admin'), userid='4') | |
| 721 self.assertRaises(exceptions.Unauthorised, | |
| 722 actions.EditItemAction(cl).handle) | |
| 723 cl = self._make_client(dict(roles='User,Admin')) | |
| 724 self.assertRaises(exceptions.Unauthorised, | |
| 649 actions.EditItemAction(cl).handle) | 725 actions.EditItemAction(cl).handle) |
| 650 | 726 |
| 651 def testRoles(self): | 727 def testRoles(self): |
| 652 cl = self._make_client({}) | 728 cl = self._make_client({}) |
| 653 self.db.user.set('1', roles='aDmin, uSer') | 729 self.db.user.set('1', roles='aDmin, uSer') |