Commit e8eae8a8 authored by Jérome Perrin's avatar Jérome Perrin

in getViewPermissionOwner, check that the owner can view the document, not that

the Owner role has the view permission.



git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@15739 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent bdf92857
...@@ -73,6 +73,8 @@ class TestBase(ERP5TypeTestCase): ...@@ -73,6 +73,8 @@ class TestBase(ERP5TypeTestCase):
not_related_to_temp_object_property_id = "string_index" not_related_to_temp_object_property_id = "string_index"
not_related_to_temp_object_property_value = "a_great_index" not_related_to_temp_object_property_value = "a_great_index"
username = 'rc'
def getTitle(self): def getTitle(self):
return "Base" return "Base"
...@@ -83,8 +85,8 @@ class TestBase(ERP5TypeTestCase): ...@@ -83,8 +85,8 @@ class TestBase(ERP5TypeTestCase):
def login(self): def login(self):
uf = self.getPortal().acl_users uf = self.getPortal().acl_users
uf._doAddUser('rc', '', ['Manager'], []) uf._doAddUser(self.username, '', ['Manager'], [])
user = uf.getUserById('rc').__of__(uf) user = uf.getUserById(self.username).__of__(uf)
newSecurityManager(None, user) newSecurityManager(None, user)
def afterSetUp(self): def afterSetUp(self):
...@@ -961,6 +963,26 @@ class TestBase(ERP5TypeTestCase): ...@@ -961,6 +963,26 @@ class TestBase(ERP5TypeTestCase):
props['chain_%s' % id] = ','.join(wf_ids) props['chain_%s' % id] = ','.join(wf_ids)
pw.manage_changeWorkflows('', props = props) pw.manage_changeWorkflows('', props = props)
def test_getViewPermissionOwnerDefault(self):
"""Test getViewPermissionOwner method behaviour"""
portal = self.getPortal()
obj = portal.organisation_module.newContent(portal_type='Organisation')
self.assertEquals(self.username, obj.getViewPermissionOwner())
def test_getViewPermissionOwnerNoOwnerLocalRole(self):
# the actual owner doesn't have Owner local role
portal = self.getPortal()
obj = portal.organisation_module.newContent(portal_type='Organisation')
obj.manage_delLocalRoles(self.username)
self.assertEquals(self.username, obj.getViewPermissionOwner())
def test_getViewPermissionOwnerNoViewPermission(self):
# the owner cannot view the object
portal = self.getPortal()
obj = portal.organisation_module.newContent(portal_type='Organisation')
obj.manage_permission('View', [], 0)
self.assertEquals(None, obj.getViewPermissionOwner())
class TestERP5PropertyManager(unittest.TestCase): class TestERP5PropertyManager(unittest.TestCase):
"""Tests for ERP5PropertyManager. """Tests for ERP5PropertyManager.
......
...@@ -68,6 +68,7 @@ class TestERP5Catalog(ERP5TypeTestCase, LogInterceptor): ...@@ -68,6 +68,7 @@ class TestERP5Catalog(ERP5TypeTestCase, LogInterceptor):
# Different variables used for this test # Different variables used for this test
run_all_test = 1 run_all_test = 1
quiet = 0 quiet = 0
username = 'seb'
def afterSetUp(self): def afterSetUp(self):
self.login() self.login()
...@@ -85,8 +86,8 @@ class TestERP5Catalog(ERP5TypeTestCase, LogInterceptor): ...@@ -85,8 +86,8 @@ class TestERP5Catalog(ERP5TypeTestCase, LogInterceptor):
def login(self): def login(self):
uf = self.getPortal().acl_users uf = self.getPortal().acl_users
uf._doAddUser('seb', '', ['Manager'], []) uf._doAddUser(self.username, '', ['Manager'], [])
user = uf.getUserById('seb').__of__(uf) user = uf.getUserById(self.username).__of__(uf)
newSecurityManager(None, user) newSecurityManager(None, user)
def getSQLPathList(self,connection_id=None): def getSQLPathList(self,connection_id=None):
...@@ -1802,6 +1803,23 @@ class TestERP5Catalog(ERP5TypeTestCase, LogInterceptor): ...@@ -1802,6 +1803,23 @@ class TestERP5Catalog(ERP5TypeTestCase, LogInterceptor):
sql_src = self.getCatalogTool()(src__=1,**catalog_kw) sql_src = self.getCatalogTool()(src__=1,**catalog_kw)
self.failUnless('TRUNCATE(catalog.uid,2) = 2567.54' in sql_src) self.failUnless('TRUNCATE(catalog.uid,2) = 2567.54' in sql_src)
def test_SearchOnOwner(self):
# owner= can be used a search key in the catalog to have all documents for
# a specific owner and on which he have the View permission.
obj = self._makeOrganisation(title='The Document')
obj2 = self._makeOrganisation(title='The Document')
obj2.manage_permission('View', [], 0)
obj2.reindexObject()
get_transaction().commit()
self.tic()
ctool = self.getCatalogTool()
self.assertEquals([obj], [x.getObject() for x in
ctool(title='The Document',
owner=self.username)])
self.assertEquals([], [x.getObject() for x in
ctool(title='The Document',
owner='somebody else')])
if __name__ == '__main__': if __name__ == '__main__':
framework() framework()
else: else:
......
...@@ -1432,13 +1432,12 @@ class Base( CopyContainer, ...@@ -1432,13 +1432,12 @@ class Base( CopyContainer,
security.declareProtected( Permissions.AccessContentsInformation, 'getViewPermissionOwner' ) security.declareProtected( Permissions.AccessContentsInformation, 'getViewPermissionOwner' )
def getViewPermissionOwner(self): def getViewPermissionOwner(self):
""" """
Returns the user ID of the owner if Owner role Returns the user ID of the owner if this user has View permission,
has View permission. Returns None else. otherwise returns None.
""" """
path, user_id = self.getOwnerTuple() owner = self.getWrappedOwner()
if 'Owner' in rolesForPermissionOn(Permissions.View, self): if owner is not None and owner.has_permission(Permissions.View, self):
path, user_id = self.getOwnerTuple() return str(owner)
return user_id
return None return None
# Private accessors for the implementation of relations based on # Private accessors for the implementation of relations based on
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment