def test_referal_to_private_files(self): # This tests the behaviour of the link integrity code when a to # be deleted item is referred to by some page the current user # has no permission to view. In this case the privacy of the # linking user should be protected, so neither the name or url # of the linking page should be shown. First we need to create # the link in question and set up the permissions accordingly. doc = self.portal.doc1 img = self.portal.image1 self._set_text(doc, '<a href="image1">Image 1</a>') roles = ('Member', ) self.portal.manage_permission('List folder contents', roles=roles) self.portal.manage_permission('Delete objects', roles=roles) doc.manage_permission('View', roles=('Manager', ), acquire=0) doc.manage_permission('Access contents information', roles=('Manager', ), acquire=0) logout() login(self.portal, 'member') checkPermission = self.portal.portal_membership.checkPermission self.assertFalse(checkPermission('View', doc)) self.assertFalse(checkPermission('Access contents information', doc)) self.assertTrue(checkPermission('View', img)) self.assertTrue(checkPermission('Access contents information', img)) # The warning is shown. self.assertTrue(hasOutgoingLinks(doc)) view = img.restrictedTraverse('delete_confirmation') results = view() self.assertIn('Potential link breakage', results) self.assertIn('The item is not accessible.', results) # delete linked item and check if the source still has the relation # TODO: There is a permission-problem. Deleting the relation # When deleting the linked obj the relation is deleted by # z3c.relationfield.event.breakRelations. That also fires # ObjectModifiedEvent on the linked obj even though the user might not # have the permission to edit that obj. # Here plone.app.versioningbehavior.subscribers.create_version_on_save # for the linked object is triggerted and results in # Unauthorized: You are not allowed to access 'save' in this context # self.portal.manage_delObjects(img.id) self.portal._delObject(img.id, suppress_events=True) logout() login(self.portal, TEST_USER_NAME) modified(doc) self.assertFalse(hasOutgoingLinks(doc))
def test_referal_to_private_files(self): # This tests the behaviour of the link integrity code when a to # be deleted item is referred to by some page the current user # has no permission to view. In this case the privacy of the # linking user should be protected, so neither the name or url # of the linking page should be shown. First we need to create # the link in question and set up the permissions accordingly. doc = self.portal.doc1 img = self.portal.image1 self._set_text(doc, '<a href="image1">Image 1</a>') roles = ('Member', ) self.portal.manage_permission('List folder contents', roles=roles) self.portal.manage_permission('Delete objects', roles=roles) doc.manage_permission('View', roles=('Manager',), acquire=0) doc.manage_permission('Access contents information', roles=('Manager', ), acquire=0) logout() login(self.portal, 'member') checkPermission = self.portal.portal_membership.checkPermission self.assertFalse(checkPermission('View', doc)) self.assertFalse(checkPermission('Access contents information', doc)) self.assertTrue(checkPermission('View', img)) self.assertTrue(checkPermission('Access contents information', img)) # The warning is shown. self.assertTrue(hasOutgoingLinks(doc)) view = img.restrictedTraverse('delete_confirmation') results = view() self.assertIn('Potential link breakage', results) self.assertIn('The item is not accessible.', results) # delete linked item and check if the source still has the relation # TODO: There is a permission-problem. Deleting the relation # When deleting the linked obj the relation is deleted by # z3c.relationfield.event.breakRelations. That also fires # ObjectModifiedEvent on the linked obj even though the user might not # have the permission to edit that obj. # Here plone.app.versioningbehavior.subscribers.create_version_on_save # for the linked object is triggerted and results in # Unauthorized: You are not allowed to access 'save' in this context # self.portal.manage_delObjects(img.id) self.portal._delObject(img.id, suppress_events=True) logout() login(self.portal, TEST_USER_NAME) modified(doc) self.assertFalse(hasOutgoingLinks(doc))
def test_file_reference_linkintegrity_page_is_shown(self): doc1 = self.portal.doc1 file2 = testing.create(self.portal, 'File', id='file2', file=testing.GIF) self.assertFalse(hasOutgoingLinks(doc1)) self._set_text(doc1, '<a href="file2">A File</a>') self.assertTrue(hasOutgoingLinks(doc1)) self.assertIn('file2', self.portal.objectIds()) token = self._get_token(file2) self.request['_authenticator'] = token # Make changes visible to test browser transaction.commit() self.browser.handleErrors = True self.browser.addHeader( 'Authorization', 'Basic {0:s}:{1:s}'.format(TEST_USER_NAME, TEST_USER_PASSWORD)) delete_url = '{0:s}/delete_confirmation?_authenticator={1:s}'.format( file2.absolute_url(), token) # Try to remove but cancel self.browser.open(delete_url) # Validate text self.assertIn('Potential link breakage', self.browser.contents) self.assertIn('<a href="http://nohost/plone/doc1">Test Page 1</a>', self.browser.contents) self.assertIn('Would you like to delete it anyway?', self.browser.contents) # Click cancel button, item should stay in place # FIXME! This fails in Archetypes because the redirect # plone.app.content.browser.actions.DeleteConfirmationForm.handle_cancel # is broken for AT-content. self.browser.getControl(name='form.buttons.Cancel').click() self.assertEqual(self.browser.url, file2.absolute_url() + '/view') self.assertIn('Removal cancelled.', self.browser.contents) self.assertIn('file2', self.portal.objectIds()) # Try to remove and confirm self.browser.open(delete_url) self.browser.getControl(name='form.buttons.Delete').click() self.assertNotIn('file2', self.portal.objectIds())
def test_file_reference_linkintegrity_page_is_shown(self): doc1 = self.portal.doc1 file2 = testing.create(self.portal, 'File', id='file2', file=testing.GIF) self.assertFalse(hasOutgoingLinks(doc1)) self._set_text(doc1, '<a href="file2">A File</a>') self.assertTrue(hasOutgoingLinks(doc1)) self.assertIn('file2', self.portal.objectIds()) token = self._get_token(file2) self.request['_authenticator'] = token # Make changes visible to test browser transaction.commit() self.browser.handleErrors = True self.browser.addHeader( 'Authorization', 'Basic {0:s}:{1:s}'.format(TEST_USER_NAME, TEST_USER_PASSWORD)) delete_url = '{0:s}/delete_confirmation?_authenticator={1:s}'.format( file2.absolute_url(), token) # Try to remove but cancel self.browser.open(delete_url) # Validate text self.assertIn('Potential link breakage', self.browser.contents) self.assertIn('<a href="http://nohost/plone/doc1">Test Page 1</a>', self.browser.contents) self.assertIn('Would you like to delete it anyway?', self.browser.contents) # Click cancel button, item should stay in place # FIXME! This fails in Archetypes because the redirect # plone.app.content.browser.actions.DeleteConfirmationForm.handle_cancel # is broken for AT-content. self.browser.getControl(name='form.buttons.Cancel').click() self.assertEqual(self.browser.url, file2.absolute_url() + '/view') self.assertIn('Removal cancelled.', self.browser.contents) self.assertIn('file2', self.portal.objectIds()) # Try to remove and confirm self.browser.open(delete_url) self.browser.getControl(name='form.buttons.Delete').click() self.assertNotIn('file2', self.portal.objectIds())