[Zope-CMF] sequrity questions writing unit tests
Stefan H. Holek
stefan@epy.co.at
Wed, 30 Oct 2002 21:56:01 +0100
You have to use restrictedTraverse() and/or
getSecurityManager().validateValue() to trigger security validation.
Note further that the "Delete objects" permission affects the *container*.
Stefan
--On Mittwoch, 30. Oktober 2002 08:33 +0100 robert <robert@redcor.ch> wrote:
> Hello,
>
> I am writing unit tests for an plone based intranet.
>
> My question: why can user kurt delete the folder "xyz" which was created
> by hans and set to state private?
>
> def testAddDocument(self):
> """ test AddDocument """
> userfolder = self.portal.acl_users
> userfolder.userFolderAddUser('hans', 'hans', [], [])
> hans = userfolder.getUser('hans').__of__(userfolder)
> userfolder._changeUser('hans', 'secret', 'secret', ['Manager'], ())
> userfolder.userFolderAddUser('kurt', 'kurt', [], [])
> kurt = userfolder.getUser('kurt').__of__(userfolder)
> newSecurityManager(None, hans)
> self.portal.invokeFactory('Folder', 'xyz')
> self.portal.portal_workflow.doActionFor(self.portal.xyz, "hide",
> comment='') noSecurityManager()
> newSecurityManager(None, kurt)
>
> self.portal.manage_delObjects(ids='xyz')
>
> why does that last line not generate an error???
>
> thanks for your tips
>
> Robert
>
>
>
> _______________________________________________
> Zope-CMF maillist - Zope-CMF@zope.org
> http://lists.zope.org/mailman/listinfo/zope-cmf
>
> See http://collector.zope.org/CMF for bug reports and feature requests
--
Those who write software only for pay should go hurt some other field.
/Erik Naggum/