[Zope-Checkins] CVS: Zope/lib/python/OFS/tests - testTraverse.py:1.5

Shane Hathaway shane@zope.com
Tue, 14 Jan 2003 10:03:10 -0500 

Update of /cvs-repository/Zope/lib/python/OFS/tests
In directory cvs.zope.org:/tmp/cvs-serv18630/OFS/tests

Modified Files:
	testTraverse.py 
Log Message:
Denial of access to acquired attributes through guarded_getattr() should
result in an Unauthorized error rather than AttributeError.  Added a test
to ensure the bug stays fixed.


=== Zope/lib/python/OFS/tests/testTraverse.py 1.4 => 1.5 ===
--- Zope/lib/python/OFS/tests/testTraverse.py:1.4	Thu Sep 12 17:20:52 2002
+++ Zope/lib/python/OFS/tests/testTraverse.py	Tue Jan 14 10:03:08 2003
@@ -16,18 +16,20 @@
 import string, cStringIO, re
 
 import ZODB, Acquisition
+from Acquisition import aq_base
 from OFS.Application import Application
 from OFS.Folder import manage_addFolder
 from OFS.Image import manage_addFile
 from OFS.SimpleItem import SimpleItem
 from Testing.makerequest import makerequest
-from AccessControl import SecurityManager
+from AccessControl import SecurityManager, Unauthorized
 from AccessControl.SecurityManagement import newSecurityManager
 from AccessControl.SecurityManagement import noSecurityManager
 
 from mimetools import Message
 from multifile import MultiFile
 
+
 class UnitTestSecurityPolicy:
     """
         Stub out the existing security policy for unit testing purposes.
@@ -49,6 +51,22 @@
     def checkPermission( self, permission, object, context) :
         return 1
 
+
+class CruelSecurityPolicy:
+    """Denies everything
+    """
+    #
+    #   Standard SecurityPolicy interface
+    #
+    def validate(self, accessed, container, name, value, *args):
+        if aq_base(accessed) is aq_base(container):
+            raise Unauthorized, name
+        return 0
+
+    def checkPermission( self, permission, object, context) :
+        return 0
+
+
 class UnitTestUser( Acquisition.Implicit ):
     """
         Stubbed out manager for unit testing purposes.
@@ -79,6 +97,7 @@
     s = DemoStorage(quota=(1<<20))
     return ZODB.DB( s ).open()
 
+
 class TestTraverse( unittest.TestCase ):
 
     def setUp( self ):
@@ -162,6 +181,18 @@
         self.failUnlessRaises(KeyError, bb.restrictedTraverse, 'notfound')
         bb.restrictedTraverse('bb_subitem')
 
+    def testAcquiredAttributeDenial(self):
+        # Verify that restrictedTraverse raises the right kind of exception
+        # on denial of access to an acquired attribute.  If it raises
+        # AttributeError instead of Unauthorized, the user may never
+        # be prompted for HTTP credentials.
+        noSecurityManager()
+        SecurityManager.setSecurityPolicy(CruelSecurityPolicy())
+        newSecurityManager( None, UnitTestUser().__of__( self.root ) )
+        self.root.stuff = 'stuff here'
+        self.failUnlessRaises(Unauthorized,
+                              self.root.folder1.restrictedTraverse, 'stuff')
+
 
 def test_suite():
     suite = unittest.TestSuite()
@@ -169,7 +200,7 @@
     return suite
 
 def main():
-    unittest.TextTestRunner().run(test_suite())
+    unittest.main(defaultTest='test_suite')
 
 if __name__ == '__main__':
     main()