def test_referal_to_private_files(self):
# This tests the behaviour of the link integrity code when a to
# be deleted item is referred to by some page the current user
# has no permission to view. In this case the privacy of the
# linking user should be protected, so neither the name or url
# of the linking page should be shown. First we need to create
# the link in question and set up the permissions accordingly.
doc = self.portal.doc1
img = self.portal.image1
self._set_text(doc, '<a href="image1">Image 1</a>')
roles = ('Member', )
self.portal.manage_permission('List folder contents', roles=roles)
self.portal.manage_permission('Delete objects', roles=roles)
doc.manage_permission('View', roles=('Manager', ), acquire=0)
doc.manage_permission('Access contents information',
roles=('Manager', ),
acquire=0)
logout()
login(self.portal, 'member')
checkPermission = self.portal.portal_membership.checkPermission
self.assertFalse(checkPermission('View', doc))
self.assertFalse(checkPermission('Access contents information', doc))
self.assertTrue(checkPermission('View', img))
self.assertTrue(checkPermission('Access contents information', img))
# The warning is shown.
self.assertTrue(hasOutgoingLinks(doc))
view = img.restrictedTraverse('delete_confirmation')
results = view()
self.assertIn('Potential link breakage', results)
self.assertIn('The item is not accessible.', results)
# delete linked item and check if the source still has the relation
# TODO: There is a permission-problem. Deleting the relation
# When deleting the linked obj the relation is deleted by
# z3c.relationfield.event.breakRelations. That also fires
# ObjectModifiedEvent on the linked obj even though the user might not
# have the permission to edit that obj.
# Here plone.app.versioningbehavior.subscribers.create_version_on_save
# for the linked object is triggerted and results in
# Unauthorized: You are not allowed to access 'save' in this context
# self.portal.manage_delObjects(img.id)
self.portal._delObject(img.id, suppress_events=True)
logout()
login(self.portal, TEST_USER_NAME)
modified(doc)
self.assertFalse(hasOutgoingLinks(doc))
def test_referal_to_private_files(self):
# This tests the behaviour of the link integrity code when a to
# be deleted item is referred to by some page the current user
# has no permission to view. In this case the privacy of the
# linking user should be protected, so neither the name or url
# of the linking page should be shown. First we need to create
# the link in question and set up the permissions accordingly.
doc = self.portal.doc1
img = self.portal.image1
self._set_text(doc, '<a href="image1">Image 1</a>')
roles = ('Member', )
self.portal.manage_permission('List folder contents', roles=roles)
self.portal.manage_permission('Delete objects', roles=roles)
doc.manage_permission('View', roles=('Manager',), acquire=0)
doc.manage_permission('Access contents information',
roles=('Manager', ), acquire=0)
logout()
login(self.portal, 'member')
checkPermission = self.portal.portal_membership.checkPermission
self.assertFalse(checkPermission('View', doc))
self.assertFalse(checkPermission('Access contents information', doc))
self.assertTrue(checkPermission('View', img))
self.assertTrue(checkPermission('Access contents information', img))
# The warning is shown.
self.assertTrue(hasOutgoingLinks(doc))
view = img.restrictedTraverse('delete_confirmation')
results = view()
self.assertIn('Potential link breakage', results)
self.assertIn('The item is not accessible.', results)
# delete linked item and check if the source still has the relation
# TODO: There is a permission-problem. Deleting the relation
# When deleting the linked obj the relation is deleted by
# z3c.relationfield.event.breakRelations. That also fires
# ObjectModifiedEvent on the linked obj even though the user might not
# have the permission to edit that obj.
# Here plone.app.versioningbehavior.subscribers.create_version_on_save
# for the linked object is triggerted and results in
# Unauthorized: You are not allowed to access 'save' in this context
# self.portal.manage_delObjects(img.id)
self.portal._delObject(img.id, suppress_events=True)
logout()
login(self.portal, TEST_USER_NAME)
modified(doc)
self.assertFalse(hasOutgoingLinks(doc))
def test_file_reference_linkintegrity_page_is_shown(self):
doc1 = self.portal.doc1
file2 = testing.create(self.portal,
'File',
id='file2',
file=testing.GIF)
self.assertFalse(hasOutgoingLinks(doc1))
self._set_text(doc1, '<a href="file2">A File</a>')
self.assertTrue(hasOutgoingLinks(doc1))
self.assertIn('file2', self.portal.objectIds())
token = self._get_token(file2)
self.request['_authenticator'] = token
# Make changes visible to test browser
transaction.commit()
self.browser.handleErrors = True
self.browser.addHeader(
'Authorization',
'Basic {0:s}:{1:s}'.format(TEST_USER_NAME, TEST_USER_PASSWORD))
delete_url = '{0:s}/delete_confirmation?_authenticator={1:s}'.format(
file2.absolute_url(), token)
# Try to remove but cancel
self.browser.open(delete_url)
# Validate text
self.assertIn('Potential link breakage', self.browser.contents)
self.assertIn('<a href="http://nohost/plone/doc1">Test Page 1</a>',
self.browser.contents)
self.assertIn('Would you like to delete it anyway?',
self.browser.contents)
# Click cancel button, item should stay in place
# FIXME! This fails in Archetypes because the redirect
# plone.app.content.browser.actions.DeleteConfirmationForm.handle_cancel
# is broken for AT-content.
self.browser.getControl(name='form.buttons.Cancel').click()
self.assertEqual(self.browser.url, file2.absolute_url() + '/view')
self.assertIn('Removal cancelled.', self.browser.contents)
self.assertIn('file2', self.portal.objectIds())
# Try to remove and confirm
self.browser.open(delete_url)
self.browser.getControl(name='form.buttons.Delete').click()
self.assertNotIn('file2', self.portal.objectIds())
def test_file_reference_linkintegrity_page_is_shown(self):
doc1 = self.portal.doc1
file2 = testing.create(self.portal, 'File',
id='file2', file=testing.GIF)
self.assertFalse(hasOutgoingLinks(doc1))
self._set_text(doc1, '<a href="file2">A File</a>')
self.assertTrue(hasOutgoingLinks(doc1))
self.assertIn('file2', self.portal.objectIds())
token = self._get_token(file2)
self.request['_authenticator'] = token
# Make changes visible to test browser
transaction.commit()
self.browser.handleErrors = True
self.browser.addHeader(
'Authorization',
'Basic {0:s}:{1:s}'.format(TEST_USER_NAME, TEST_USER_PASSWORD))
delete_url = '{0:s}/delete_confirmation?_authenticator={1:s}'.format(
file2.absolute_url(), token)
# Try to remove but cancel
self.browser.open(delete_url)
# Validate text
self.assertIn('Potential link breakage', self.browser.contents)
self.assertIn('<a href="http://nohost/plone/doc1">Test Page 1</a>',
self.browser.contents)
self.assertIn('Would you like to delete it anyway?',
self.browser.contents)
# Click cancel button, item should stay in place
# FIXME! This fails in Archetypes because the redirect
# plone.app.content.browser.actions.DeleteConfirmationForm.handle_cancel
# is broken for AT-content.
self.browser.getControl(name='form.buttons.Cancel').click()
self.assertEqual(self.browser.url, file2.absolute_url() + '/view')
self.assertIn('Removal cancelled.', self.browser.contents)
self.assertIn('file2', self.portal.objectIds())
# Try to remove and confirm
self.browser.open(delete_url)
self.browser.getControl(name='form.buttons.Delete').click()
self.assertNotIn('file2', self.portal.objectIds())