do not check security when creating temp object

add unit test for this git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@11130 20353a03-c40f-0410-a6d1-a30d3c3de9de

do not check security when creating temp object
add unit test for this git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@11130 20353a03-c40f-0410-a6d1-a30d3c3de9de
cccd2234 · Aurel · b2c90c0a · cccd2234 · cccd2234
Commit cccd2234 authored Nov 06, 2006 by Aurel
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 4 deletions

product/ERP5Type/ERP5Type.py product/ERP5Type/ERP5Type.py +7 -3

product/ERP5Type/tests/testERP5Type.py product/ERP5Type/tests/testERP5Type.py +17 -1

No files found.
--- a/product/ERP5Type/ERP5Type.py
+++ b/product/ERP5Type/ERP5Type.py
@@ -200,9 +200,13 @@ class ERP5TypeInformation( FactoryTypeInformation,
        Call the init_script for the portal_type.
        Returns the object.
        """
-        # This is part is copied from CMFCore/TypesTool
-        ob = FactoryTypeInformation.constructInstance(
-                                             self, container, id, *args, **kw)
+        # This is part is copied from CMFCore/TypesTool/constructInstance
+        # In case of temp object, we don't want to check security
+        if not (hasattr(container, 'isTempObject') and container.isTempObject())\
+               and not self.isConstructionAllowed(container):
+            raise AccessControl_Unauthorized('Cannot create %s' % self.getId())
+        ob = self._constructInstance(container, id, *args, **kw)
+        ob = self._finishConstruction(ob)

        # Only try to assign roles to security groups if some roles are defined
        # This is an optimisation to prevent defining local roles on subobjects

--- a/product/ERP5Type/tests/testERP5Type.py
+++ b/product/ERP5Type/tests/testERP5Type.py
@@ -18,6 +18,7 @@ from Products.ERP5Type.Cache import CachingMethod, clearCache
 from Products.ERP5Type.Base import _aq_reset
 from Products.ERP5Type.tests.utils import installRealClassTool
 from Products.ERP5Type.Utils import removeLocalPropertySheet
+from AccessControl.SecurityManagement import newSecurityManager

 class PropertySheetTestCase(ERP5TypeTestCase):
  """Base test case class for property sheets tests.
@@ -116,6 +117,12 @@ class TestERP5Type(PropertySheetTestCase, LogInterceptor):
        module.manage_delObjects(list(module.objectIds()))
      get_transaction().commit()

+    def loginWithNoRole(self, quiet=0, run=run_all_test):
+      uf = self.getPortal().acl_users
+      uf._doAddUser('ac', '', [], [])
+      user = uf.getUserById('ac').__of__(uf)
+      newSecurityManager(None, user)
+
    def getRandomString(self):
      return str(randint(-10000000,100000000))

@@ -240,7 +247,16 @@ class TestERP5Type(PropertySheetTestCase, LogInterceptor):
      b = o.newContent(id=2, portal_type="Telephone")
      self.assertEquals(b.isTempObject(), 1)
      self.assertEquals(b.getId(), str(2))
-      
+
+      # check we can create temp object without specific roles/permissions
+      self.logout()
+      self.loginWithNoRole()
+      o = newTempOrganisation(portal,'b')
+      self.assertEquals(o.isTempObject(), 1)
+      a = o.newContent(portal_type = 'Telephone')
+      self.assertEquals(a.isTempObject(), 1)
+      self.logout()
+      self.login()

    def test_04_CategoryAccessors(self, quiet=quiet, run=run_all_test):
      """