From ef71fd735c2c39fb5848139333536833ec2f9cb1 Mon Sep 17 00:00:00 2001
From: Vincent Pelletier <vincent@nexedi.com>
Date: Tue, 13 May 2008 01:37:09 +0000
Subject: [PATCH] Add a test for edit method security.

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@20919 20353a03-c40f-0410-a6d1-a30d3c3de9de
---
 product/ERP5Type/tests/testFolder.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/product/ERP5Type/tests/testFolder.py b/product/ERP5Type/tests/testFolder.py
index 04aedf9473..eb99a6d7cd 100644
--- a/product/ERP5Type/tests/testFolder.py
+++ b/product/ERP5Type/tests/testFolder.py
@@ -34,6 +34,8 @@ from Products.CMFCore.tests.base.testcase import LogInterceptor
 from Products.ERP5Type.tests.utils import createZODBPythonScript
 from Products.ERP5Type.ERP5Type import ERP5TypeInformation
 from Products.ERP5Type.Cache import clearCache
+from AccessControl.ZopeGuards import guarded_apply, guarded_getattr
+from zExceptions import Unauthorized
 
 class TestFolder(ERP5TypeTestCase, LogInterceptor):
 
@@ -170,6 +172,17 @@ class TestFolder(ERP5TypeTestCase, LogInterceptor):
       self.assertRaises(ValueError, self.folder.newContent,
                         portal_type='Category')
 
+    def test_editWithoutModifyPortalContent(self):
+      edit = guarded_getattr(self.folder, 'edit')
+      guarded_apply(edit, title='foo')
+      self.assertEqual(self.folder.title, 'foo')
+      original_permission_list = self.folder.permission_settings('Modify portal content')
+      assert len(original_permission_list) == 1
+      self.folder.manage_permission('Modify portal content', [], 0)
+      self.assertRaises(Unauthorized, guarded_getattr, self.folder, 'edit')
+      # Reset to original permissions
+      self.folder.manage_permission('Modify portal content', original_permission_list[0]['roles'], original_permission_list[0]['acquire'])
+
 def test_suite():
   suite = unittest.TestSuite()
   suite.addTest(unittest.makeSuite(TestFolder))
-- 
2.30.9