def test_auth(self):
# Based on Testing.ZopeTestCase.testFunctional
basic_auth = '%s:%s' % (user_name, user_password)
self.folder.addDTMLDocument('secret_html', file='secret')
self.folder.secret_html.manage_permission(view, ['Owner'])
path = '/' + self.folder.absolute_url(1) + '/secret_html'
# Test direct publishing
response = self.publish(path + '/secret_html')
self.assertEqual(response.getStatus(), 401)
response = self.publish(path + '/secret_html', basic_auth)
self.assertEqual(response.getStatus(), 200)
self.assertEqual(response.getBody(), b'secret')
# Test browser
url = 'http://localhost' + path
browser = Browser()
browser.raiseHttpErrors = False
browser.open(url)
self.assertTrue(browser.headers['status'].startswith('401'))
browser.login(user_name, user_password)
browser.open(url)
self.assertTrue(browser.headers['status'].startswith('200'))
self.assertEqual(browser.contents, 'secret')
class ZPTBrowserTests(FunctionalTestCase):
"""Browser testing ZopePageTemplate"""
def setUp(self):
from Products.PageTemplates.ZopePageTemplate import \
manage_addPageTemplate
super(ZPTBrowserTests, self).setUp()
Zope2.App.zcml.load_site(force=True)
uf = self.app.acl_users
uf.userFolderAddUser('manager', 'manager_pass', ['Manager'], [])
manage_addPageTemplate(self.app, 'page_template')
self.browser = Browser()
self.browser.login('manager', 'manager_pass')
self.browser.open('http://localhost/page_template/manage_main')
def test_pt_upload__no_file(self):
"""It renders an error message if no file is uploaded."""
self.browser.getControl('Upload File').click()
self.assertIn('No file specified', self.browser.contents)
class ZPTBrowserTests(FunctionalTestCase):
"""Browser testing ZopePageTemplate"""
def setUp(self):
from Products.PageTemplates.ZopePageTemplate import \
manage_addPageTemplate
super(ZPTBrowserTests, self).setUp()
Zope2.App.zcml.load_site(force=True)
uf = self.app.acl_users
uf.userFolderAddUser('manager', 'manager_pass', ['Manager'], [])
manage_addPageTemplate(self.app, 'page_template')
self.browser = Browser()
self.browser.login('manager', 'manager_pass')
self.browser.open('http://localhost/page_template/manage_main')
def test_pt_upload__no_file(self):
"""It renders an error message if no file is uploaded."""
self.browser.getControl('Upload File').click()
self.assertIn('No file specified', self.browser.contents)
class TestPublishTraverse(Testing.ZopeTestCase.FunctionalTestCase):
def setUp(self):
super(TestPublishTraverse, self).setUp()
zcml.load_config("configure.zcml", Products.Five)
zcml.load_config('pages.zcml', package=Products.Five.browser.tests)
uf = self.app.acl_users
uf.userFolderAddUser('manager', 'manager_pass', ['Manager'], [])
manage_addSimpleContent(self.folder, 'testoid', 'x')
self.browser = Browser()
self.browser.login('manager', 'manager_pass')
def tearDown(self):
zope.component.testing.tearDown()
super(TestPublishTraverse, self).tearDown()
def test_publishTraverse_to_allowed_name(self):
# The ``eagle.method`` view has a method ``eagle`` that is registered
# with ``allowed_attributes`` in pages.zcml. This attribute should be
# reachable through ``publishTraverse`` on the view.
folder = self.folder
view = folder.unrestrictedTraverse('testoid/eagle.method')
# Publishing traversal with the default adapter should work:
from ZPublisher.BaseRequest import DefaultPublishTraverse
request = folder.REQUEST
adapter = DefaultPublishTraverse(view, request)
result = adapter.publishTraverse(request, 'eagle')()
self.assertIn('The eagle has landed', result)
# Publishing via browser works, too:
self.browser.open(
'http://localhost/test_folder_1_/testoid/eagle.method/eagle')
self.assertEqual('The eagle has landed', self.browser.contents)
def test_publishTraverse_to_not_allowed_name(self):
# The ``eagle.method`` view has a method ``mouse`` but it is not
# registered with ``allowed_attributes`` in pages.zcml. This attribute
# should be not be accessible. It leads to a HTTP-404, so we do not
# tell the world about our internal methods:
with self.assertRaises(HTTPError) as err:
self.browser.open(
'http://localhost/test_folder_1_/testoid/eagle.method/mouse')
self.assertEqual('HTTP Error 404: Not Found', str(err.exception))
def test_publishTraverse_to_allowed_interface(self):
# The ``cheeseburger`` view has a method ``meat`` that is
# registered via ``allowed_interface`` in pages.zcml. This attribute
# should be reachable through ``publishTraverse`` on the view.
folder = self.folder
view = folder.unrestrictedTraverse('testoid/cheeseburger')
# Publishing traversal with the default adapter should work:
from ZPublisher.BaseRequest import DefaultPublishTraverse
request = folder.REQUEST
adapter = DefaultPublishTraverse(view, request)
result = adapter.publishTraverse(request, 'meat')()
self.assertIn('yummi', result)
# Publishing via browser works, too:
self.browser.open(
'http://localhost/test_folder_1_/testoid/cheeseburger/meat')
self.assertEqual('yummi', self.browser.contents)
def test_publishTraverse_to_not_allowed_interface(self):
# The ``cheeseburger`` view has a method ``cheese`` but it is not
# registered via ``allowed_interface`` in pages.zcml. This attribute
# should be not be accessible. It leads to a HTTP-404, so we do not
# tell the world about our internal methods:
with self.assertRaises(HTTPError) as err:
self.browser.open(
'http://localhost/test_folder_1_/testoid/cheeseburger/cheese')
self.assertEqual('HTTP Error 404: Not Found', str(err.exception))
class PythonScriptBrowserTests(FunctionalTestCase):
"""Browser testing Python Scripts"""
def setUp(self):
from Products.PythonScripts.PythonScript import manage_addPythonScript
super(PythonScriptBrowserTests, self).setUp()
Zope2.App.zcml.load_site(force=True)
uf = self.app.acl_users
uf.userFolderAddUser('manager', 'manager_pass', ['Manager'], [])
manage_addPythonScript(self.app, 'py_script')
self.browser = Browser()
self.browser.addHeader(
'Authorization',
'basic {}'.format(
codecs.encode( # noqa: P101
b'manager:manager_pass', 'base64').decode()))
self.browser.open('http://localhost/py_script/manage_main')
def test_ZPythonScriptHTML_upload__no_file(self):
"""It renders an error message if no file is uploaded."""
self.browser.getControl('Upload File').click()
self.assertIn('No file specified', self.browser.contents)
def test_ZPythonScriptHTML_upload__with_file(self):
file_contents = b'print("hello")'
self.browser.getControl('file').add_file(file_contents, 'text/plain',
'script.py')
self.browser.getControl('Upload File').click()
assert 'Saved changes.' in self.browser.contents
def test_PythonScript_proxyroles_manager(self):
test_role = 'Test Role'
self.app._addRole(test_role)
# Test the original state
self.assertFalse(self.app.py_script.manage_haveProxy(test_role))
# Go to the "Proxy" ZMI tab, grab the Proxy Roles select box,
# select the new role and submit
self.browser.open('http://localhost/py_script/manage_proxyForm')
roles_selector = self.browser.getControl(name='roles:list')
testrole_option = roles_selector.getControl(test_role)
self.assertFalse(testrole_option.selected)
testrole_option.selected = True
self.browser.getControl('Save Changes').click()
# The Python Script should now have a proxy role set
self.assertTrue(self.app.py_script.manage_haveProxy(test_role))
def test_PythonScript_proxyroles_nonmanager(self):
# This test checks an unusual configuration where roles other than
# Manager are allowed to change proxy roles.
proxy_form_url = 'http://localhost/py_script/manage_proxyForm'
test_role = 'Test Role'
self.app._addRole(test_role)
test_role_2 = 'Unprivileged Role'
self.app._addRole(test_role_2)
self.app.manage_permission(change_proxy_roles, ['Manager', test_role])
# Add some test users
uf = self.app.acl_users
uf.userFolderAddUser('privileged', 'priv', [test_role], [])
uf.userFolderAddUser('peon', 'unpriv', [test_role_2], [])
# Test the original state
self.assertFalse(self.app.py_script.manage_haveProxy(test_role))
self.assertFalse(self.app.py_script.manage_haveProxy(test_role_2))
# Attempt as unprivileged user will fail both in the browser and
# from trusted code
self.browser.login('peon', 'unpriv')
with self.assertRaises(HTTPError):
self.browser.open(proxy_form_url)
newSecurityManager(None, uf.getUser('peon'))
with self.assertRaises(zExceptions.Forbidden):
self.app.py_script.manage_proxy(roles=(test_role, ))
self.assertFalse(self.app.py_script.manage_haveProxy(test_role))
# Now log in as privileged user and try to set a proxy role
# the privileged user does not have. This must fail.
self.browser.login('privileged', 'priv')
self.browser.open(proxy_form_url)
roles_selector = self.browser.getControl(name='roles:list')
bad_option = roles_selector.getControl(test_role_2)
self.assertFalse(bad_option.selected)
bad_option.selected = True
with self.assertRaises(HTTPError):
self.browser.getControl('Save Changes').click()
self.assertFalse(self.app.py_script.manage_haveProxy(test_role_2))
newSecurityManager(None, uf.getUser('privileged'))
with self.assertRaises(zExceptions.Forbidden):
self.app.py_script.manage_proxy(roles=(test_role_2, ))
self.assertFalse(self.app.py_script.manage_haveProxy(test_role_2))
# Trying again as privileged user with a proxy role the user has
self.browser.open(proxy_form_url)
roles_selector = self.browser.getControl(name='roles:list')
testrole_option = roles_selector.getControl(test_role)
self.assertFalse(testrole_option.selected)
testrole_option.selected = True
self.browser.getControl('Save Changes').click()
# The Python Script should now have a proxy role set
self.assertTrue(self.app.py_script.manage_haveProxy(test_role))
# Cleanup
noSecurityManager()
