Make it possible to show a login form to user in case user can't find a...

Make it possible to show a login form to user in case user can't find a document by its reference in URL traversal. Introduce a new property of Web Section for that purpose. git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@21026 20353a03-c40f-0410-a6d1-a30d3c3de9de

Make it possible to show a login form to user in case user can't find a...
Make it possible to show a login form to user in case user can't find a document by its reference in URL traversal. Introduce a new property of Web Section for that purpose. git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@21026 20353a03-c40f-0410-a6d1-a30d3c3de9de
5f7ee128 · Ivan Tyagov · 4d5d236c · 5f7ee128 · 5f7ee128 · 5f7ee128
Commit 5f7ee128 authored May 20, 2008 by Ivan Tyagov
3 changed files
--- a/product/ERP5/Document/Document.py
+++ b/product/ERP5/Document/Document.py
@@ -308,6 +308,17 @@ class PermanentURLMixIn(ExtensibleTraversableMixIn):
                                            original_id=document.getId(),
                                            editable_absolute_url=document.absolute_url()))
      return document.__of__(self)
+    # no document found for current user, still such document may exists
+    # in some cases user (like Anonymous) can not view document according to portal catalog
+    # but we may ask him to login if such a document exists
+    # XXX: make sure document exists
+    if getattr(self,  'isAuthorizationForced',  None) is not None:
+      if self.isAuthorizationForced():
+        # force user to login as specified in Web Section
+        raise Unauthorized
+    else:
+      # force user to login unconditionally of context
+      raise Unauthorized
  security.declareProtected(Permissions.View, 'getDocumentValue')
  def getDocumentValue(self, name=None, portal=None, **kw):

--- a/product/ERP5/PropertySheet/WebSection.py
+++ b/product/ERP5/PropertySheet/WebSection.py
@@ -74,6 +74,11 @@ class WebSection:
            'acquisition_accessor_id'       : 'getLayoutConfigurationFormId',
            'acquisition_depends'           : None,
            'mode'        : '' },
+          {   'id'          : 'authorization_forced',
+            'description' : 'Force authorization for anonymous user if document can not be found.',
+            'type'        : 'boolean',
+            'default':  0, 
+            'mode'        : 'rw' },
    )
    _categories = ('aggregate', )

--- a/product/ERP5/tests/testERP5Web.py
+++ b/product/ERP5/tests/testERP5Web.py
@@ -30,6 +30,7 @@
 import os
 import unittest
+from AccessControl import Unauthorized
 from AccessControl.SecurityManagement import newSecurityManager
 from Testing import ZopeTestCase
 from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase
@@ -314,6 +315,54 @@ class TestERP5Web(ERP5TypeTestCase, ZopeTestCase.Functional):
    self.assertEquals('0.2', default_document.getVersion())
    self.assertEquals('published', default_document.getValidationState())
+  def test_06_WebSectionAuthorizationForced(self, quiet=quiet, run=run_all_test):
+    """ Check that when a document is requested within a Web Section we have a chance to 
+        require user to login.
+        Whether or not an user will login is controlled by a property on Web Section (authorization_forced).
+    """
+    if not run:
+      return
+    if not quiet:
+      message = '\ntest_06_WebSectionAuthorizationForced'
+      ZopeTestCase._print(message)
+    request = self.app.REQUEST    
+    website = self.setupWebSite()
+    websection = self.setupWebSection()
+    webpage_list  = self.setupWebSitePages(prefix = 'test-web-page')
+    webpage = webpage_list[0]
+    document_reference = 'default-document-reference'
+    document = self.portal.web_page_module.newContent(
+                                      portal_type = 'Web Page', 
+                                      reference = document_reference)
+    website.setAuthorizationForced(0)  
+    websection.setAuthorizationForced(0)                                      
+    get_transaction().commit()
+    self.tic()
+    # make sure that _getExtensibleContent will return the same document
+    # there's not other way to test otherwise URL traversal
+    self.assertEqual(document.getUid(), 
+                           websection._getExtensibleContent(request,  document_reference).getUid())
+    # Anonymous User should have in the request header for not found when 
+    # viewing non available document in Web Section (with no authorization_forced)
+    self.logout()
+    self.assertEqual(None,  websection._getExtensibleContent(request,  document_reference))
+    self.assertEqual('404 Not Found',  request.RESPONSE.getHeader('status'))
+    # Anonymous user should be prompted to login when viewing non available document
+    # contained in a Web Page (like ..web_page_module/1/<document_reference>)
+    self.assertRaises(Unauthorized,  webpage._getExtensibleContent,  request,  document_reference)
+    # set authorization_forced flag
+    self.login()
+    websection.setAuthorizationForced(1)
+    # check Unauthorized exception is raised for anonymous
+    # this exception is usually caught and user is redirecetd to login form
+    self.logout()
+    self.assertRaises(Unauthorized,  websection._getExtensibleContent,  request,  document_reference)
 def test_suite():
  suite = unittest.TestSuite()
  suite.addTest(unittest.makeSuite(TestERP5Web))