def test_deny_dublincore_view(self): """Tests the denial of dublincore view permissions to anonymous. Users who can view a folder contents page but cannot view dublin core should still be able to see the folder items' names, but not their title, modified, and created info. """ # add an item that can be viewed from the root folder file = File() self.getRootFolder()['file'] = file IZopeDublinCore(file).title = u'My File' # deny zope.app.dublincore.view to zope.Anonymous prm = IRolePermissionManager(self.getRootFolder()) prm.denyPermissionToRole('zope.app.dublincore.view', 'zope.Anonymous') transaction.commit() response = self.publish('/') self.assertEquals(response.getStatus(), 200) body = response.getBody() # confirm we can see the file name self.assert_(body.find('<a href="file">file</a>') != -1) # confirm we *cannot* see the metadata title self.assert_(body.find('My File') == -1)
def setPermissionRoles(self): """Set permissions of roles. """ prm = IRolePermissionManager(self.context) permissions = [perm.id for perm in self.permissions] for perm in permissions: rperm = self.request.get(u'perm%s' % perm) if rperm not in permissions: continue for role in self.roles: rrole = self.request.get('role%s' % role) if rrole not in self.roles: continue setting = self.request.get(u'prole%s%s' % (perm, role)) if setting is None: continue if setting == Unset.getName(): prm.unsetPermissionFromRole(rperm, rrole) elif setting == Allow.getName(): prm.grantPermissionToRole(rperm, rrole) elif setting == Deny.getName(): prm.denyPermissionToRole(rperm, rrole) else: # Unknown value. Ignore it. pass self.msg = u"Permissions successfully updated."
def test_deny_view(self): """Tests the denial of view permissions to anonymous. This test uses the ZMI interface to deny anonymous zope.View permission to the root folder. """ # deny zope.View to zope.Anonymous prm = IRolePermissionManager(self.getRootFolder()) prm.denyPermissionToRole('zope.View', 'zope.Anonymous') transaction.commit() # confirm Unauthorized when viewing root folder self.assertRaises(Unauthorized, self.publish, '/')