def test_manage_removePrincipalsFromGroup_POST_permissions(self):
        USER_ID = 'testuser'
        GROUP_ID = 'testgroup'

        zgm = self._makeOne()
        zgm.prefix = 'prefixed_'

        zgm.addGroup(GROUP_ID)
        req, res = makeRequestAndResponse()

        req.set('REQUEST_METHOD', 'GET')
        req.set('method', 'GET')
        req.set('SESSION', {})
        self.assertRaises(Forbidden, zgm.manage_removePrincipalsFromGroup,
                          GROUP_ID, [USER_ID], REQUEST=req)

        # Works with a POST
        req.set('REQUEST_METHOD', 'POST')
        req.set('method', 'POST')
        self.assertRaises(Forbidden, zgm.manage_removePrincipalsFromGroup,
                          GROUP_ID, [USER_ID], REQUEST=req)

        # Works with a POST + CSRF token
        req.form['csrf_token'] = 'deadbeef'
        req.SESSION['_csrft_'] = 'deadbeef'
        zgm.manage_removePrincipalsFromGroup(GROUP_ID, [USER_ID], REQUEST=req)
Ejemplo n.º 2
0
    def test_manage_updateUserPassword_POST_permissions(self):
        USER_ID = 'testuser'
        PASSWORD = '******'
        ENCRYPTED = pw_encrypt(PASSWORD)

        zum = self._makeOne()
        zum.addUser(USER_ID, USER_ID, '')

        req, res = makeRequestAndResponse()
        # Fails with a GET
        req.set('REQUEST_METHOD', 'GET')
        req.set('method', 'GET')
        req.set('SESSION', {})
        self.assertRaises(Forbidden, zum.manage_updateUserPassword,
                          USER_ID, PASSWORD, PASSWORD, REQUEST=req)

        req.set('REQUEST_METHOD', 'POST')
        req.set('method', 'POST')
        self.assertRaises(Forbidden, zum.manage_updateUserPassword,
                          USER_ID, PASSWORD, PASSWORD, REQUEST=req)

        # Works with a POST + CSRF toekn
        req.form['csrf_token'] = 'deadbeef'
        req.SESSION['_csrft_'] = 'deadbeef'
        zum.manage_updateUserPassword(USER_ID, PASSWORD, PASSWORD, REQUEST=req)
Ejemplo n.º 3
0
    def test_manage_removeRoleFromPricipal_POST_permissionsT(self):
        USER_ID = 'testuser'
        ROLE_ID = 'myrole'

        root = FauxPAS()
        zrm = self._makeOne(id='remove_existing').__of__(root)
        zrm = self._makeOne()
        zrm.addRole(ROLE_ID)

        req, res = makeRequestAndResponse()

        req.set('REQUEST_METHOD', 'GET')
        req.set('method', 'GET')
        req.set('SESSION', {})
        self.assertRaises(Forbidden, zrm.manage_removeRoleFromPrincipals,
                          ROLE_ID, [USER_ID], RESPONSE=res, REQUEST=req)

        req.set('REQUEST_METHOD', 'POST')
        req.set('method', 'POST')
        self.assertRaises(Forbidden, zrm.manage_removeRoleFromPrincipals,
                          ROLE_ID, [USER_ID], RESPONSE=res, REQUEST=req)

        req.form['csrf_token'] = 'deadbeef'
        req.SESSION['_csrft_'] = 'deadbeef'
        zrm.manage_removeRoleFromPrincipals(ROLE_ID, [USER_ID], RESPONSE=res,
                                            REQUEST=req)
Ejemplo n.º 4
0
    def testPOSTProtections(self):
        from AccessControl.AuthEncoding import pw_encrypt
        from zExceptions import Forbidden
        USER_ID = 'testuser'
        PASSWORD = '******'

        ENCRYPTED = pw_encrypt(PASSWORD)

        zum = self._makeOne()
        zum.addUser(USER_ID, USER_ID, '')

        req, res = makeRequestAndResponse()
        # test manage_updateUserPassword
        # Fails with a GET
        req.set('REQUEST_METHOD', 'GET')
        self.assertRaises(Forbidden, zum.manage_updateUserPassword,
                          USER_ID, PASSWORD, PASSWORD, REQUEST=req)
        # Works with a POST
        req.set('REQUEST_METHOD', 'POST')
        zum.manage_updateUserPassword(USER_ID, PASSWORD, PASSWORD, REQUEST=req)

        # test manage_updatePassword
        req.set('REQUEST_METHOD', 'GET')
        self.assertRaises(Forbidden, zum.manage_updatePassword,
                          USER_ID, PASSWORD, PASSWORD, REQUEST=req)
        # XXX: This method is broken

        # test manage_removeUsers
        req.set('REQUEST_METHOD', 'GET')
        self.assertRaises(Forbidden, zum.manage_removeUsers,
                          [USER_ID], REQUEST=req)
        req.set('REQUEST_METHOD', 'POST')
        zum.manage_removeUsers([USER_ID], REQUEST=req)
Ejemplo n.º 5
0
    def _makeOne(self, id='test', *args, **kw):

        plugin = self._getTargetClass()(id=id, *args, **kw)
        # We need to bind a fake request to this plugin
        request, dummy_response = makeRequestAndResponse()
        setattr(plugin, 'REQUEST', request)
        return plugin
Ejemplo n.º 6
0
    def testPOSTProtections(self):
        from zExceptions import Forbidden

        USER_ID = 'testuser'
        GROUP_ID = 'testgroup'

        zgm = self._makeOne()
        zgm.prefix = 'prefixed_'

        zgm.addGroup( GROUP_ID )
        user = DummyUser( USER_ID )

        req, res = makeRequestAndResponse()

        # test addPrincipalToGroup
        # Fails with a GET
        req.set('REQUEST_METHOD', 'GET')
        self.assertRaises(Forbidden, zgm.addPrincipalToGroup,
                          USER_ID, GROUP_ID, REQUEST=req)
        # Works with a POST
        req.set('REQUEST_METHOD', 'POST')
        zgm.addPrincipalToGroup(USER_ID, GROUP_ID, REQUEST=req)

        # test removePrincipalFromGroup
        req.set('REQUEST_METHOD', 'GET')
        self.assertRaises(Forbidden, zgm.removePrincipalFromGroup,
                          USER_ID, GROUP_ID, REQUEST=req)
        # Works with a POST
        req.set('REQUEST_METHOD', 'POST')
        zgm.removePrincipalFromGroup(USER_ID, GROUP_ID, REQUEST=req)

        # test manage_addPrincipalsToGroup
        req.set('REQUEST_METHOD', 'GET')
        self.assertRaises(Forbidden, zgm.manage_addPrincipalsToGroup,
                          GROUP_ID, [USER_ID], REQUEST=req)
        req.set('REQUEST_METHOD', 'POST')
        zgm.manage_addPrincipalsToGroup(GROUP_ID, [USER_ID], REQUEST=req)

        # test manage_removePrincipalsFromGroup
        req.set('REQUEST_METHOD', 'GET')
        self.assertRaises(Forbidden, zgm.manage_removePrincipalsFromGroup,
                          GROUP_ID, [USER_ID], REQUEST=req)
        req.set('REQUEST_METHOD', 'POST')
        zgm.manage_removePrincipalsFromGroup(GROUP_ID, [USER_ID], REQUEST=req)

        # test manage_removeGroup
        req.set('REQUEST_METHOD', 'GET')
        self.assertRaises(Forbidden, zgm.manage_removeGroups,
                          [GROUP_ID], REQUEST=req)
        # Works with a POST
        req.set('REQUEST_METHOD', 'POST')
        zgm.manage_removeGroups([GROUP_ID], REQUEST=req)
Ejemplo n.º 7
0
    def test_manage_updatePassword_POST_permissions(self):
        USER_ID = 'testuser'
        PASSWORD = '******'
        ENCRYPTED = pw_encrypt(PASSWORD)

        zum = self._makeOne()
        zum.addUser(USER_ID, USER_ID, '')

        req, res = makeRequestAndResponse()
        req.set('REQUEST_METHOD', 'GET')
        req.set('method', 'GET')
        self.assertRaises(Forbidden, zum.manage_updatePassword,
                          USER_ID, PASSWORD, PASSWORD, REQUEST=req)
Ejemplo n.º 8
0
    def test_manage_removeRoles_POST_permissions(self):
        ROLE_ID = 'myrole'

        root = FauxPAS()
        zrm = self._makeOne(id='remove_existing').__of__(root)
        zrm = self._makeOne()
        zrm.addRole(ROLE_ID)

        req, res = makeRequestAndResponse()
        req.set('REQUEST_METHOD', 'GET')
        req.set('method', 'GET')
        self.assertRaises(Forbidden, zrm.manage_removeRoles,
                          [ROLE_ID], RESPONSE=res, REQUEST=req)
        req.set('REQUEST_METHOD', 'POST')
        req.set('method', 'POST')
        zrm.manage_removeRoles([ROLE_ID], RESPONSE=res, REQUEST=req)
Ejemplo n.º 9
0
    def test_manage_removeGroup_POST_permissions(self):
        GROUP_ID = 'testgroup'

        zgm = self._makeOne()
        zgm.prefix = 'prefixed_'
        zgm.addGroup(GROUP_ID)
        req, res = makeRequestAndResponse()

        req.set('REQUEST_METHOD', 'GET')
        req.set('method', 'GET')
        self.assertRaises(Forbidden, zgm.manage_removeGroups,
                          [GROUP_ID], REQUEST=req)

        # Works with a POST
        req.set('REQUEST_METHOD', 'POST')
        req.set('method', 'POST')
        zgm.manage_removeGroups([GROUP_ID], REQUEST=req)
    def test_manage_updatePassword(self):
        from AccessControl.SecurityManagement import newSecurityManager
        from AccessControl.SecurityManagement import noSecurityManager
        from Acquisition import Implicit
        # Test that a user can update her own password using the
        # ZMI-provided form handler: http://www.zope.org/Collectors/PAS/56
        zum = self._makeOne()

        # Create a user and make sure we can authenticate with it
        zum.addUser('user1', '*****@*****.**', 'password')
        info1 = {'login': '******', 'password': '******'}
        self.failUnless(zum.authenticateCredentials(info1))

        # Give the user a new password; attempting to authenticate with the
        # old password must fail
        class FauxUser(Implicit):

            def __init__(self, id):
                self._id = id

            def getId(self):
                return self._id

        req, res = makeRequestAndResponse()
        req.set('REQUEST_METHOD', 'POST')
        req.set('method', 'POST')
        req.SESSION = {'_csrft_': 'deadbeef'}
        req.form['csrf_token'] = 'deadbeef'
        newSecurityManager(None, FauxUser('user1'))
        try:
            zum.manage_updatePassword('*****@*****.**',
                                      'new_password',
                                      'new_password',
                                      REQUEST=req,
                                      )
        finally:
            noSecurityManager()

        self.failIf(zum.authenticateCredentials(info1))

        # Try to authenticate with the new password, this must succeed.
        info2 = {'login': '******', 'password': '******'}
        user_id, login = zum.authenticateCredentials(info2)
        self.assertEqual(user_id, 'user1')
        self.assertEqual(login, '*****@*****.**')
Ejemplo n.º 11
0
    def test_removeRole_POST_permissions(self):
        ROLE_ID = 'myrole'

        root = FauxPAS()
        zrm = self._makeOne(id='remove_existing').__of__(root)
        zrm = self._makeOne()
        zrm.addRole(ROLE_ID)

        req, res = makeRequestAndResponse()

        req.set('REQUEST_METHOD', 'GET')
        req.set('method', 'GET')
        self.assertRaises(Forbidden, zrm.removeRole,
                          ROLE_ID, REQUEST=req)
        # Works with a POST
        req.set('REQUEST_METHOD', 'POST')
        req.set('method', 'POST')
        zrm.removeRole(ROLE_ID, REQUEST=req)
Ejemplo n.º 12
0
    def test_removePrincipalFromGroup_POST_permissions(self):
        USER_ID = 'testuser'
        GROUP_ID = 'testgroup'

        zgm = self._makeOne()
        zgm.prefix = 'prefixed_'

        zgm.addGroup(GROUP_ID)
        req, res = makeRequestAndResponse()

        req.set('REQUEST_METHOD', 'GET')
        req.set('method', 'GET')
        self.assertRaises(Forbidden, zgm.removePrincipalFromGroup,
                          USER_ID, GROUP_ID, REQUEST=req)
        # Works with a POST
        req.set('REQUEST_METHOD', 'POST')
        req.set('method', 'POST')
        zgm.removePrincipalFromGroup(USER_ID, GROUP_ID, REQUEST=req)
Ejemplo n.º 13
0
    def test_assignRoleToPrincipal_POST_permissions(self):
        USER_ID = 'testuser'
        ROLE_ID = 'myrole'

        root = FauxPAS()
        zrm = self._makeOne(id='remove_existing').__of__(root)
        zrm = self._makeOne()
        zrm.addRole(ROLE_ID)

        req, res = makeRequestAndResponse()

        # Fails with a GET
        req.set('REQUEST_METHOD', 'GET')
        req.set('method', 'GET')
        self.assertRaises(Forbidden, zrm.assignRoleToPrincipal,
                          ROLE_ID, USER_ID, REQUEST=req)
        # Works with a POST
        req.set('REQUEST_METHOD', 'POST')
        req.set('method', 'POST')
        zrm.assignRoleToPrincipal(ROLE_ID, USER_ID, REQUEST=req)
    def test_manage_removeUsers_POST_permissions(self):
        USER_ID = 'testuser'

        zum = self._makeOne()
        zum.addUser(USER_ID, USER_ID, '')

        req, res = makeRequestAndResponse()
        req.set('REQUEST_METHOD', 'GET')
        req.set('method', 'GET')
        req.set('SESSION', {})
        self.assertRaises(Forbidden, zum.manage_removeUsers,
                          [USER_ID], REQUEST=req)

        req.set('REQUEST_METHOD', 'POST')
        req.set('method', 'POST')
        self.assertRaises(Forbidden, zum.manage_removeUsers,
                          [USER_ID], REQUEST=req)

        req.form['csrf_token'] = 'deadbeef'
        req.SESSION['_csrft_'] = 'deadbeef'
        zum.manage_removeUsers([USER_ID], REQUEST=req)
Ejemplo n.º 15
0
    def testPOSTProtections(self):
        from zExceptions import Forbidden

        GROUP_ID = 'testgroup'

        dpg = self._makeOne( 'adding' )

        dpg.addGroup( GROUP_ID, 'python:True', 'title', 'description', True )

        req, res = makeRequestAndResponse()

        req.set('REQUEST_METHOD', 'GET')

        # Fails with a GET
        # test removeGroup
        req.set('REQUEST_METHOD', 'GET')
        self.assertRaises(Forbidden, dpg.removeGroup,
                          GROUP_ID, REQUEST=req)
        # Works with a POST
        req.set('REQUEST_METHOD', 'POST')
        dpg.removeGroup(GROUP_ID, REQUEST=req)
    def test_manage_updatePassword_POST_permissions(self):
        from AccessControl.SecurityManagement import newSecurityManager
        from AccessControl.SecurityManagement import noSecurityManager
        from Acquisition import Implicit
        # Give the user a new password; attempting to authenticate with the
        # old password must fail

        class FauxUser(Implicit):

            def __init__(self, id):
                self._id = id

            def getId(self):
                return self._id
        USER_ID = 'testuser'
        PASSWORD = '******'

        zum = self._makeOne()
        zum.addUser(USER_ID, USER_ID, '')

        req, res = makeRequestAndResponse()
        req.set('REQUEST_METHOD', 'GET')
        req.set('method', 'GET')
        req.set('SESSION', {})
        newSecurityManager(None, FauxUser(USER_ID))
        try:
            self.assertRaises(Forbidden, zum.manage_updatePassword,
                              USER_ID, PASSWORD, PASSWORD, REQUEST=req)

            req.set('REQUEST_METHOD', 'POST')
            req.set('method', 'POST')
            self.assertRaises(Forbidden, zum.manage_updatePassword,
                              USER_ID, PASSWORD, PASSWORD, REQUEST=req)

            # Works with a POST + CSRF toekn
            req.form['csrf_token'] = 'deadbeef'
            req.SESSION['_csrft_'] = 'deadbeef'
            zum.manage_updatePassword(USER_ID, PASSWORD, PASSWORD, REQUEST=req)
        finally:
            noSecurityManager()
Ejemplo n.º 17
0
    def testPOSTProtections(self):
        from zExceptions import Forbidden

        USER_ID = 'testuser'
        ROLE_ID = 'myrole'

        root = FauxPAS()
        zrm = self._makeOne( id='remove_existing' ).__of__( root )
        zrm = self._makeOne()
        zrm.addRole(ROLE_ID)

        user = DummyUser( USER_ID )

        req, res = makeRequestAndResponse()

        # Fails with a GET
        # test assignRoleToPrincipal
        req.set('REQUEST_METHOD', 'GET')
        self.assertRaises(Forbidden, zrm.assignRoleToPrincipal,
                          ROLE_ID, USER_ID, REQUEST=req)
        # Works with a POST
        req.set('REQUEST_METHOD', 'POST')
        zrm.assignRoleToPrincipal(ROLE_ID, USER_ID, REQUEST=req)

        # test removeRoleFromPricipal
        req.set('REQUEST_METHOD', 'GET')
        self.assertRaises(Forbidden, zrm.removeRoleFromPrincipal,
                          ROLE_ID, USER_ID, REQUEST=req)
        req.set('REQUEST_METHOD', 'POST')
        zrm.removeRoleFromPrincipal(ROLE_ID, USER_ID, REQUEST=req)

        # test removeRole
        req.set('REQUEST_METHOD', 'GET')
        self.assertRaises(Forbidden, zrm.removeRole,
                          ROLE_ID, REQUEST=req)
        req.set('REQUEST_METHOD', 'POST')
        zrm.removeRole(ROLE_ID, REQUEST=req)

        # Readd the role for the manage_* methods
        zrm.addRole(ROLE_ID)

        # test manage_assignRoleToPrincipal
        req.set('REQUEST_METHOD', 'GET')
        self.assertRaises(Forbidden, zrm.manage_assignRoleToPrincipals,
                          ROLE_ID, [USER_ID], RESPONSE=res, REQUEST=req)
        req.set('REQUEST_METHOD', 'POST')
        zrm.manage_assignRoleToPrincipals(ROLE_ID, [USER_ID], RESPONSE=res,
                                          REQUEST=req)

        # test manage_removeRoleFromPricipal
        req.set('REQUEST_METHOD', 'GET')
        self.assertRaises(Forbidden, zrm.manage_removeRoleFromPrincipals,
                          ROLE_ID, [USER_ID], RESPONSE=res, REQUEST=req)
        req.set('REQUEST_METHOD', 'POST')
        zrm.manage_removeRoleFromPrincipals(ROLE_ID, [USER_ID], RESPONSE=res,
                                            REQUEST=req)

        # test manage_removeRoles
        req.set('REQUEST_METHOD', 'GET')
        self.assertRaises(Forbidden, zrm.manage_removeRoles,
                          [ROLE_ID], RESPONSE=res, REQUEST=req)
        req.set('REQUEST_METHOD', 'POST')
        zrm.manage_removeRoles([ROLE_ID], RESPONSE=res, REQUEST=req)