From 0036c4ba850d79d5b9d3007e1a5ac94d00cfc0b0 Mon Sep 17 00:00:00 2001 From: Arnaud Fontaine <arnaud.fontaine@nexedi.com> Date: Thu, 15 Aug 2013 20:47:00 +0900 Subject: [PATCH] ZODB Components: Only Manager or Developer Role should be able to access Component Tools and Components. --- product/ERP5Type/Tool/ComponentTool.py | 10 +++++----- product/ERP5Type/tests/testDynamicClassGeneration.py | 6 ++++++ 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/product/ERP5Type/Tool/ComponentTool.py b/product/ERP5Type/Tool/ComponentTool.py index f6faa74dbf..c42d7f0a35 100644 --- a/product/ERP5Type/Tool/ComponentTool.py +++ b/product/ERP5Type/Tool/ComponentTool.py @@ -82,12 +82,12 @@ class ComponentTool(BaseTool): permission_function = lambda self: ('Manager',) elif permission_name in ('Change permissions', 'Define permissions'): permission_function = lambda self: () - elif not (permission_name.startswith('Access ') or - permission_name.startswith('View') or - permission_name.startswith('WebDAV')): - permission_function = lambda self: ('Developer',) + elif (permission_name.startswith('Access ') or + permission_name.startswith('View') or + permission_name == 'WebDAV access'): + permission_function = lambda self: ('Developer', 'Manager') else: - continue + permission_function = lambda self: ('Developer',) setattr(cls, pname(permission_name), property(permission_function)) diff --git a/product/ERP5Type/tests/testDynamicClassGeneration.py b/product/ERP5Type/tests/testDynamicClassGeneration.py index 3d5c825d66..555fddf5cd 100644 --- a/product/ERP5Type/tests/testDynamicClassGeneration.py +++ b/product/ERP5Type/tests/testDynamicClassGeneration.py @@ -1802,6 +1802,12 @@ def bar(*args, **kwargs): self.tic() + # Anonymous should not even be able to view/access Component Tool + self.failIfUserCanViewDocument(None, self._component_tool) + self.failIfUserCanAccessDocument(None, self._component_tool) + self.failIfUserCanViewDocument(None, component) + self.failIfUserCanAccessDocument(None, component) + user_id = 'ERP5TypeTestCase' self.assertUserCanChangeLocalRoles(user_id, self._component_tool) -- 2.30.9