From 1a39e3a7ca3d90ce7c54d2b4330a5fe6d712fa7e Mon Sep 17 00:00:00 2001
From: Romain Courteaud <romain@nexedi.com>
Date: Wed, 13 Aug 2008 17:15:19 +0000
Subject: [PATCH] New test to check the expected behaviour of object security
 indexation. Currently, if an object acquires its parent local roles AND also
 define local roles, its indexed security is false.

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@22986 20353a03-c40f-0410-a6d1-a30d3c3de9de
---
 product/ERP5Catalog/tests/testERP5Catalog.py | 66 ++++++++++++++++++++
 1 file changed, 66 insertions(+)

diff --git a/product/ERP5Catalog/tests/testERP5Catalog.py b/product/ERP5Catalog/tests/testERP5Catalog.py
index b95dabbf82..792ad9ffe9 100644
--- a/product/ERP5Catalog/tests/testERP5Catalog.py
+++ b/product/ERP5Catalog/tests/testERP5Catalog.py
@@ -1898,6 +1898,72 @@ class TestERP5Catalog(ERP5TypeTestCase, LogInterceptor):
     self.assertEquals([], [x.getObject() for x in
                            obj.searchFolder(portal_type='Bank Account')])
 
+  def test_SubDocumentsWithAcquireLocalRoleSecurityIndexing(
+                                   self, quiet=quiet, run=run_all_test):
+    if not run: return    
+    # Check that sub object indexation is compatible with ZODB settings
+    # when the sub object acquires the parent local roles
+    perm = 'View'
+
+    # Create some users
+    login = PortalTestCase.login
+    logout = self.logout
+    user1 = 'local_foo_1'
+    user2 = 'local_bar_1'
+    uf = self.getPortal().acl_users
+    uf._doAddUser(user1, user1, ['Member', ], [])
+    uf._doAddUser(user2, user2, ['Member', ], [])
+
+    container_portal_type = 'Organisation'
+    # Create a container, define a local role, and set view permission
+    folder = self.getOrganisationModule()
+
+    # user1 should be auditor on container
+    # user2 should be assignor on subdocument
+    container = folder.newContent(portal_type=container_portal_type)
+    container.manage_setLocalRoles(user1, ['Auditor'])
+#     container.manage_setLocalRoles(user2, [])
+    container.manage_permission(perm, ['Owner', 'Auditor', 'Assignor'], 0)
+
+    # By default, local roles are acquired from container for Email portal type
+    object_portal_type = 'Email'
+    obj = container.newContent(portal_type=object_portal_type)
+    # Acquire permission from parent
+    obj.manage_permission(perm, [], 1)
+    obj.manage_setLocalRoles(user2, ['Assignor'])
+
+    obj.reindexObject()
+    get_transaction().commit()
+    self.tic()
+
+    logout()
+    login(self, user1)
+    result = obj.portal_catalog(portal_type=object_portal_type)
+    self.assertSameSet([obj, ], [x.getObject() for x in result])
+    result = obj.portal_catalog(portal_type=object_portal_type, 
+                                local_roles='Owner')
+    self.assertSameSet([], [x.getObject() for x in result])
+    result = obj.portal_catalog(portal_type=object_portal_type, 
+                                local_roles='Assignor')
+    self.assertSameSet([], [x.getObject() for x in result])
+    result = obj.portal_catalog(portal_type=object_portal_type, 
+                                local_roles='Auditor')
+    self.assertSameSet([obj], [x.getObject() for x in result])
+
+    logout()
+    login(self, user2)
+    result = obj.portal_catalog(portal_type=object_portal_type)
+    self.assertSameSet([obj, ], [x.getObject() for x in result])
+    result = obj.portal_catalog(portal_type=object_portal_type, 
+                                local_roles='Owner')
+    self.assertSameSet([], [x.getObject() for x in result])
+    result = obj.portal_catalog(portal_type=object_portal_type, 
+                                local_roles='Assignor')
+    self.assertSameSet([obj], [x.getObject() for x in result])
+    result = obj.portal_catalog(portal_type=object_portal_type, 
+                                local_roles='Auditor')
+    self.assertSameSet([], [x.getObject() for x in result])
+
   def test_60_ViewableOwnerIndexing(self, quiet=quiet, run=run_all_test):
     if not run: 
       return
-- 
2.30.9