Mercurial > p > roundup > code
diff test/test_xmlrpc.py @ 3937:3c3077582c16
Add security checks and tests for xmlrpc interface.
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Sat, 03 Nov 2007 00:50:38 +0000 |
| parents | cf6c45201980 |
| children | 85cbaa50eba1 |
line wrap: on
line diff
--- a/test/test_xmlrpc.py Fri Nov 02 23:17:59 2007 +0000 +++ b/test/test_xmlrpc.py Sat Nov 03 00:50:38 2007 +0000 @@ -14,75 +14,85 @@ NEEDS_INSTANCE = 1 -class TestCaseBase(unittest.TestCase): - +class TestCase(unittest.TestCase): def setUp(self): - self.dirname = '_test_xmlrpc' # set up and open a tracker self.instance = db_test_base.setupTracker(self.dirname) # open the database self.db = self.instance.open('admin') - self.db.user.create(username='joe', password=password.Password('random'), - address='random@home.org', - realname='Joe Random', roles='User') + self.joeid = 'user' + self.db.user.create(username='joe', + password=password.Password('random'), address='random@home.org', + realname='Joe Random', roles='User') self.db.commit() self.db.close() - + self.server = RoundupServer(self.dirname) - def tearDown(self): - try: shutil.rmtree(self.dirname) except OSError, error: if error.errno not in (errno.ENOENT, errno.ESRCH): raise -class AccessTestCase(TestCaseBase): - - def test(self): - + def testAccess(self): # Retrieve all three users. results = self.server.list('joe', 'random', 'user', 'id') self.assertEqual(len(results), 3) + # Obtain data for 'joe'. - userid = 'user' + results[-1] - results = self.server.display('joe', 'random', userid) + results = self.server.display('joe', 'random', self.joeid) self.assertEqual(results['username'], 'joe') self.assertEqual(results['realname'], 'Joe Random') + + def testChange(self): # Reset joe's 'realname'. - results = self.server.set('joe', 'random', userid, 'realname=Joe Doe') - results = self.server.display('joe', 'random', userid, 'realname') + results = self.server.set('joe', 'random', self.joeid, + 'realname=Joe Doe') + results = self.server.display('joe', 'random', self.joeid, + 'realname') self.assertEqual(results['realname'], 'Joe Doe') - # Create test + + def testCreate(self): results = self.server.create('joe', 'random', 'issue', 'title=foo') issueid = 'issue' + results results = self.server.display('joe', 'random', issueid, 'title') self.assertEqual(results['title'], 'foo') -class AuthenticationTestCase(TestCaseBase): - - def test(self): - + def testAuthUnknown(self): # Unknown user (caught in XMLRPC frontend). self.assertRaises(Unauthorised, self.server.list, - 'nobody', 'nobody', 'user', 'id') + 'nobody', 'nobody', 'user', 'id') + + def testAuthDeniedEdit(self): # Wrong permissions (caught by roundup security module). - results = self.server.list('joe', 'random', 'user', 'id') - userid = 'user' + results[0] # admin self.assertRaises(Unauthorised, self.server.set, - 'joe', 'random', userid, 'realname=someone') + 'joe', 'random', 'user1', 'realname=someone') + + def testAuthDeniedCreate(self): + self.assertRaises(Unauthorised, self.server.create, + 'joe', 'random', 'user', {'username': 'blah'}) + def testAuthAllowedEdit(self): + try: + self.server.set('admin', 'sekrit', 'user2', 'realname=someone') + except Unauthorised, err: + self.fail('raised %s'%err) + + def testAuthAllowedCreate(self): + try: + self.server.create('admin', 'sekrit', 'user', 'username=blah') + except Unauthorised, err: + self.fail('raised %s'%err) def test_suite(): suite = unittest.TestSuite() - suite.addTest(unittest.makeSuite(AccessTestCase)) - suite.addTest(unittest.makeSuite(AuthenticationTestCase)) + suite.addTest(unittest.makeSuite(TestCase)) return suite if __name__ == '__main__': runner = unittest.TextTestRunner() unittest.main(testRunner=runner) +