def test_manage_removeRoleFromPricipal_POST_permissionsT(self): USER_ID = 'testuser' ROLE_ID = 'myrole' root = FauxPAS() zrm = self._makeOne(id='remove_existing').__of__(root) zrm = self._makeOne() zrm.addRole(ROLE_ID) req, res = makeRequestAndResponse() req.set('REQUEST_METHOD', 'GET') req.set('method', 'GET') req.set('SESSION', {}) self.assertRaises(Forbidden, zrm.manage_removeRoleFromPrincipals, ROLE_ID, [USER_ID], RESPONSE=res, REQUEST=req) req.set('REQUEST_METHOD', 'POST') req.set('method', 'POST') self.assertRaises(Forbidden, zrm.manage_removeRoleFromPrincipals, ROLE_ID, [USER_ID], RESPONSE=res, REQUEST=req) req.form['csrf_token'] = 'deadbeef' req.SESSION['_csrft_'] = 'deadbeef' zrm.manage_removeRoleFromPrincipals(ROLE_ID, [USER_ID], RESPONSE=res, REQUEST=req)
def test_manage_removePrincipalsFromGroup_POST_permissions(self): USER_ID = 'testuser' GROUP_ID = 'testgroup' zgm = self._makeOne() zgm.prefix = 'prefixed_' zgm.addGroup(GROUP_ID) req, res = makeRequestAndResponse() req.set('REQUEST_METHOD', 'GET') req.set('method', 'GET') req.set('SESSION', {}) self.assertRaises(Forbidden, zgm.manage_removePrincipalsFromGroup, GROUP_ID, [USER_ID], REQUEST=req) # Works with a POST req.set('REQUEST_METHOD', 'POST') req.set('method', 'POST') self.assertRaises(Forbidden, zgm.manage_removePrincipalsFromGroup, GROUP_ID, [USER_ID], REQUEST=req) # Works with a POST + CSRF token req.form['csrf_token'] = 'deadbeef' req.SESSION['_csrft_'] = 'deadbeef' zgm.manage_removePrincipalsFromGroup(GROUP_ID, [USER_ID], REQUEST=req)
def _makeOne(self, id='test', *args, **kw): plugin = self._getTargetClass()(id=id, *args, **kw) # We need to bind a fake request to this plugin request, dummy_response = makeRequestAndResponse() setattr(plugin, 'REQUEST', request) return plugin
def test_manage_updateUserPassword_POST_permissions(self): USER_ID = 'testuser' PASSWORD = '******' ENCRYPTED = pw_encrypt(PASSWORD) zum = self._makeOne() zum.addUser(USER_ID, USER_ID, '') req, res = makeRequestAndResponse() # Fails with a GET req.set('REQUEST_METHOD', 'GET') req.set('method', 'GET') req.set('SESSION', {}) self.assertRaises(Forbidden, zum.manage_updateUserPassword, USER_ID, PASSWORD, PASSWORD, REQUEST=req) req.set('REQUEST_METHOD', 'POST') req.set('method', 'POST') self.assertRaises(Forbidden, zum.manage_updateUserPassword, USER_ID, PASSWORD, PASSWORD, REQUEST=req) # Works with a POST + CSRF toekn req.form['csrf_token'] = 'deadbeef' req.SESSION['_csrft_'] = 'deadbeef' zum.manage_updateUserPassword(USER_ID, PASSWORD, PASSWORD, REQUEST=req)
def testPOSTProtections(self): from AccessControl.AuthEncoding import pw_encrypt from zExceptions import Forbidden USER_ID = 'testuser' PASSWORD = '******' ENCRYPTED = pw_encrypt(PASSWORD) zum = self._makeOne() zum.addUser(USER_ID, USER_ID, '') req, res = makeRequestAndResponse() # test manage_updateUserPassword # Fails with a GET req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zum.manage_updateUserPassword, USER_ID, PASSWORD, PASSWORD, REQUEST=req) # Works with a POST req.set('REQUEST_METHOD', 'POST') zum.manage_updateUserPassword(USER_ID, PASSWORD, PASSWORD, REQUEST=req) # test manage_updatePassword req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zum.manage_updatePassword, USER_ID, PASSWORD, PASSWORD, REQUEST=req) # XXX: This method is broken # test manage_removeUsers req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zum.manage_removeUsers, [USER_ID], REQUEST=req) req.set('REQUEST_METHOD', 'POST') zum.manage_removeUsers([USER_ID], REQUEST=req)
def testPOSTProtections(self): from zExceptions import Forbidden USER_ID = 'testuser' GROUP_ID = 'testgroup' zgm = self._makeOne() zgm.prefix = 'prefixed_' zgm.addGroup( GROUP_ID ) user = DummyUser( USER_ID ) req, res = makeRequestAndResponse() # test addPrincipalToGroup # Fails with a GET req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zgm.addPrincipalToGroup, USER_ID, GROUP_ID, REQUEST=req) # Works with a POST req.set('REQUEST_METHOD', 'POST') zgm.addPrincipalToGroup(USER_ID, GROUP_ID, REQUEST=req) # test removePrincipalFromGroup req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zgm.removePrincipalFromGroup, USER_ID, GROUP_ID, REQUEST=req) # Works with a POST req.set('REQUEST_METHOD', 'POST') zgm.removePrincipalFromGroup(USER_ID, GROUP_ID, REQUEST=req) # test manage_addPrincipalsToGroup req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zgm.manage_addPrincipalsToGroup, GROUP_ID, [USER_ID], REQUEST=req) req.set('REQUEST_METHOD', 'POST') zgm.manage_addPrincipalsToGroup(GROUP_ID, [USER_ID], REQUEST=req) # test manage_removePrincipalsFromGroup req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zgm.manage_removePrincipalsFromGroup, GROUP_ID, [USER_ID], REQUEST=req) req.set('REQUEST_METHOD', 'POST') zgm.manage_removePrincipalsFromGroup(GROUP_ID, [USER_ID], REQUEST=req) # test manage_removeGroup req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zgm.manage_removeGroups, [GROUP_ID], REQUEST=req) # Works with a POST req.set('REQUEST_METHOD', 'POST') zgm.manage_removeGroups([GROUP_ID], REQUEST=req)
def test_manage_updatePassword_POST_permissions(self): USER_ID = 'testuser' PASSWORD = '******' ENCRYPTED = pw_encrypt(PASSWORD) zum = self._makeOne() zum.addUser(USER_ID, USER_ID, '') req, res = makeRequestAndResponse() req.set('REQUEST_METHOD', 'GET') req.set('method', 'GET') self.assertRaises(Forbidden, zum.manage_updatePassword, USER_ID, PASSWORD, PASSWORD, REQUEST=req)
def test_manage_removeRoles_POST_permissions(self): ROLE_ID = 'myrole' root = FauxPAS() zrm = self._makeOne(id='remove_existing').__of__(root) zrm = self._makeOne() zrm.addRole(ROLE_ID) req, res = makeRequestAndResponse() req.set('REQUEST_METHOD', 'GET') req.set('method', 'GET') self.assertRaises(Forbidden, zrm.manage_removeRoles, [ROLE_ID], RESPONSE=res, REQUEST=req) req.set('REQUEST_METHOD', 'POST') req.set('method', 'POST') zrm.manage_removeRoles([ROLE_ID], RESPONSE=res, REQUEST=req)
def test_manage_removeGroup_POST_permissions(self): GROUP_ID = 'testgroup' zgm = self._makeOne() zgm.prefix = 'prefixed_' zgm.addGroup(GROUP_ID) req, res = makeRequestAndResponse() req.set('REQUEST_METHOD', 'GET') req.set('method', 'GET') self.assertRaises(Forbidden, zgm.manage_removeGroups, [GROUP_ID], REQUEST=req) # Works with a POST req.set('REQUEST_METHOD', 'POST') req.set('method', 'POST') zgm.manage_removeGroups([GROUP_ID], REQUEST=req)
def test_removeRole_POST_permissions(self): ROLE_ID = 'myrole' root = FauxPAS() zrm = self._makeOne(id='remove_existing').__of__(root) zrm = self._makeOne() zrm.addRole(ROLE_ID) req, res = makeRequestAndResponse() req.set('REQUEST_METHOD', 'GET') req.set('method', 'GET') self.assertRaises(Forbidden, zrm.removeRole, ROLE_ID, REQUEST=req) # Works with a POST req.set('REQUEST_METHOD', 'POST') req.set('method', 'POST') zrm.removeRole(ROLE_ID, REQUEST=req)
def test_manage_updatePassword(self): from AccessControl.SecurityManagement import newSecurityManager from AccessControl.SecurityManagement import noSecurityManager from Acquisition import Implicit # Test that a user can update her own password using the # ZMI-provided form handler: http://www.zope.org/Collectors/PAS/56 zum = self._makeOne() # Create a user and make sure we can authenticate with it zum.addUser( 'user1', '*****@*****.**', 'password' ) info1 = { 'login' : '*****@*****.**', 'password' : 'password' } self.failUnless(zum.authenticateCredentials(info1)) # Give the user a new password; attempting to authenticate with the # old password must fail class FauxUser(Implicit): def __init__(self, id): self._id = id def getId( self ): return self._id req, res = makeRequestAndResponse() req.set('REQUEST_METHOD', 'POST') req.set('method', 'POST') req.SESSION = {'_csrft_': 'deadbeef'} req.form['csrf_token'] = 'deadbeef' newSecurityManager(None, FauxUser('user1')) try: zum.manage_updatePassword('*****@*****.**', 'new_password', 'new_password', REQUEST=req, ) finally: noSecurityManager() self.failIf(zum.authenticateCredentials(info1)) # Try to authenticate with the new password, this must succeed. info2 = { 'login' : '*****@*****.**', 'password' : 'new_password' } user_id, login = zum.authenticateCredentials(info2) self.assertEqual(user_id, 'user1') self.assertEqual(login, '*****@*****.**')
def test_manage_updatePassword(self): from AccessControl.SecurityManagement import newSecurityManager from AccessControl.SecurityManagement import noSecurityManager from Acquisition import Implicit # Test that a user can update her own password using the # ZMI-provided form handler: http://www.zope.org/Collectors/PAS/56 zum = self._makeOne() # Create a user and make sure we can authenticate with it zum.addUser('user1', '*****@*****.**', 'password') info1 = {'login': '******', 'password': '******'} self.failUnless(zum.authenticateCredentials(info1)) # Give the user a new password; attempting to authenticate with the # old password must fail class FauxUser(Implicit): def __init__(self, id): self._id = id def getId(self): return self._id req, res = makeRequestAndResponse() req.set('REQUEST_METHOD', 'POST') req.set('method', 'POST') req.SESSION = {'_csrft_': 'deadbeef'} req.form['csrf_token'] = 'deadbeef' newSecurityManager(None, FauxUser('user1')) try: zum.manage_updatePassword('*****@*****.**', 'new_password', 'new_password', REQUEST=req, ) finally: noSecurityManager() self.failIf(zum.authenticateCredentials(info1)) # Try to authenticate with the new password, this must succeed. info2 = {'login': '******', 'password': '******'} user_id, login = zum.authenticateCredentials(info2) self.assertEqual(user_id, 'user1') self.assertEqual(login, '*****@*****.**')
def test_removePrincipalFromGroup_POST_permissions(self): USER_ID = 'testuser' GROUP_ID = 'testgroup' zgm = self._makeOne() zgm.prefix = 'prefixed_' zgm.addGroup(GROUP_ID) req, res = makeRequestAndResponse() req.set('REQUEST_METHOD', 'GET') req.set('method', 'GET') self.assertRaises(Forbidden, zgm.removePrincipalFromGroup, USER_ID, GROUP_ID, REQUEST=req) # Works with a POST req.set('REQUEST_METHOD', 'POST') req.set('method', 'POST') zgm.removePrincipalFromGroup(USER_ID, GROUP_ID, REQUEST=req)
def test_manage_updateUserPassword_POST_permissions(self): USER_ID = 'testuser' PASSWORD = '******' ENCRYPTED = pw_encrypt(PASSWORD) zum = self._makeOne() zum.addUser(USER_ID, USER_ID, '') req, res = makeRequestAndResponse() # Fails with a GET req.set('REQUEST_METHOD', 'GET') req.set('method', 'GET') self.assertRaises(Forbidden, zum.manage_updateUserPassword, USER_ID, PASSWORD, PASSWORD, REQUEST=req) # Works with a POST req.set('REQUEST_METHOD', 'POST') req.set('method', 'POST') zum.manage_updateUserPassword(USER_ID, PASSWORD, PASSWORD, REQUEST=req)
def testPOSTProtections(self): from zExceptions import Forbidden GROUP_ID = 'testgroup' dpg = self._makeOne('adding') dpg.addGroup(GROUP_ID, 'python:True', 'title', 'description', True) req, res = makeRequestAndResponse() req.set('REQUEST_METHOD', 'GET') # Fails with a GET # test removeGroup req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, dpg.removeGroup, GROUP_ID, REQUEST=req) # Works with a POST req.set('REQUEST_METHOD', 'POST') dpg.removeGroup(GROUP_ID, REQUEST=req)
def test_assignRoleToPrincipal_POST_permissions(self): USER_ID = 'testuser' ROLE_ID = 'myrole' root = FauxPAS() zrm = self._makeOne(id='remove_existing').__of__(root) zrm = self._makeOne() zrm.addRole(ROLE_ID) req, res = makeRequestAndResponse() # Fails with a GET req.set('REQUEST_METHOD', 'GET') req.set('method', 'GET') self.assertRaises(Forbidden, zrm.assignRoleToPrincipal, ROLE_ID, USER_ID, REQUEST=req) # Works with a POST req.set('REQUEST_METHOD', 'POST') req.set('method', 'POST') zrm.assignRoleToPrincipal(ROLE_ID, USER_ID, REQUEST=req)
def test_manage_removeUsers_POST_permissions(self): USER_ID = 'testuser' zum = self._makeOne() zum.addUser(USER_ID, USER_ID, '') req, res = makeRequestAndResponse() req.set('REQUEST_METHOD', 'GET') req.set('method', 'GET') req.set('SESSION', {}) self.assertRaises(Forbidden, zum.manage_removeUsers, [USER_ID], REQUEST=req) req.set('REQUEST_METHOD', 'POST') req.set('method', 'POST') self.assertRaises(Forbidden, zum.manage_removeUsers, [USER_ID], REQUEST=req) req.form['csrf_token'] = 'deadbeef' req.SESSION['_csrft_'] = 'deadbeef' zum.manage_removeUsers([USER_ID], REQUEST=req)
def testPOSTProtections(self): from zExceptions import Forbidden GROUP_ID = 'testgroup' dpg = self._makeOne( 'adding' ) dpg.addGroup( GROUP_ID, 'python:True', 'title', 'description', True ) req, res = makeRequestAndResponse() req.set('REQUEST_METHOD', 'GET') # Fails with a GET # test removeGroup req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, dpg.removeGroup, GROUP_ID, REQUEST=req) # Works with a POST req.set('REQUEST_METHOD', 'POST') dpg.removeGroup(GROUP_ID, REQUEST=req)
def test_manage_updatePassword_POST_permissions(self): from AccessControl.SecurityManagement import newSecurityManager from AccessControl.SecurityManagement import noSecurityManager from Acquisition import Implicit # Give the user a new password; attempting to authenticate with the # old password must fail class FauxUser(Implicit): def __init__(self, id): self._id = id def getId(self): return self._id USER_ID = 'testuser' PASSWORD = '******' zum = self._makeOne() zum.addUser(USER_ID, USER_ID, '') req, res = makeRequestAndResponse() req.set('REQUEST_METHOD', 'GET') req.set('method', 'GET') req.set('SESSION', {}) newSecurityManager(None, FauxUser(USER_ID)) try: self.assertRaises(Forbidden, zum.manage_updatePassword, USER_ID, PASSWORD, PASSWORD, REQUEST=req) req.set('REQUEST_METHOD', 'POST') req.set('method', 'POST') self.assertRaises(Forbidden, zum.manage_updatePassword, USER_ID, PASSWORD, PASSWORD, REQUEST=req) # Works with a POST + CSRF toekn req.form['csrf_token'] = 'deadbeef' req.SESSION['_csrft_'] = 'deadbeef' zum.manage_updatePassword(USER_ID, PASSWORD, PASSWORD, REQUEST=req) finally: noSecurityManager()
def test_manage_updatePassword_POST_permissions(self): from AccessControl.SecurityManagement import newSecurityManager from AccessControl.SecurityManagement import noSecurityManager from Acquisition import Implicit # Give the user a new password; attempting to authenticate with the # old password must fail class FauxUser(Implicit): def __init__(self, id): self._id = id def getId( self ): return self._id USER_ID = 'testuser' PASSWORD = '******' ENCRYPTED = pw_encrypt(PASSWORD) zum = self._makeOne() zum.addUser(USER_ID, USER_ID, '') req, res = makeRequestAndResponse() req.set('REQUEST_METHOD', 'GET') req.set('method', 'GET') req.set('SESSION', {}) newSecurityManager(None, FauxUser(USER_ID)) try: self.assertRaises(Forbidden, zum.manage_updatePassword, USER_ID, PASSWORD, PASSWORD, REQUEST=req) req.set('REQUEST_METHOD', 'POST') req.set('method', 'POST') self.assertRaises(Forbidden, zum.manage_updatePassword, USER_ID, PASSWORD, PASSWORD, REQUEST=req) # Works with a POST + CSRF toekn req.form['csrf_token'] = 'deadbeef' req.SESSION['_csrft_'] = 'deadbeef' zum.manage_updatePassword(USER_ID, PASSWORD, PASSWORD, REQUEST=req) finally: noSecurityManager()
def test_manage_removeGroup_POST_permissions(self): GROUP_ID = 'testgroup' zgm = self._makeOne() zgm.prefix = 'prefixed_' zgm.addGroup(GROUP_ID) req, res = makeRequestAndResponse() req.set('REQUEST_METHOD', 'GET') req.set('method', 'GET') req.set('SESSION', {}) self.assertRaises(Forbidden, zgm.manage_removeGroups, [GROUP_ID], REQUEST=req) req.set('REQUEST_METHOD', 'POST') req.set('method', 'POST') self.assertRaises(Forbidden, zgm.manage_removeGroups, [GROUP_ID], REQUEST=req) # Works with a POST + CSRF token req.form['csrf_token'] = 'deadbeef' req.SESSION['_csrft_'] = 'deadbeef' zgm.manage_removeGroups([GROUP_ID], REQUEST=req)
def test_manage_removeUsers_POST_permissions(self): USER_ID = 'testuser' PASSWORD = '******' ENCRYPTED = pw_encrypt(PASSWORD) zum = self._makeOne() zum.addUser(USER_ID, USER_ID, '') req, res = makeRequestAndResponse() req.set('REQUEST_METHOD', 'GET') req.set('method', 'GET') req.set('SESSION', {}) self.assertRaises(Forbidden, zum.manage_removeUsers, [USER_ID], REQUEST=req) req.set('REQUEST_METHOD', 'POST') req.set('method', 'POST') self.assertRaises(Forbidden, zum.manage_removeUsers, [USER_ID], REQUEST=req) req.form['csrf_token'] = 'deadbeef' req.SESSION['_csrft_'] = 'deadbeef' zum.manage_removeUsers([USER_ID], REQUEST=req)
def testPOSTProtections(self): from zExceptions import Forbidden USER_ID = 'testuser' ROLE_ID = 'myrole' root = FauxPAS() zrm = self._makeOne(id='remove_existing').__of__(root) zrm = self._makeOne() zrm.addRole(ROLE_ID) user = DummyUser(USER_ID) req, res = makeRequestAndResponse() # Fails with a GET # test assignRoleToPrincipal req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zrm.assignRoleToPrincipal, ROLE_ID, USER_ID, REQUEST=req) # Works with a POST req.set('REQUEST_METHOD', 'POST') zrm.assignRoleToPrincipal(ROLE_ID, USER_ID, REQUEST=req) # test removeRoleFromPricipal req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zrm.removeRoleFromPrincipal, ROLE_ID, USER_ID, REQUEST=req) req.set('REQUEST_METHOD', 'POST') zrm.removeRoleFromPrincipal(ROLE_ID, USER_ID, REQUEST=req) # test removeRole req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zrm.removeRole, ROLE_ID, REQUEST=req) req.set('REQUEST_METHOD', 'POST') zrm.removeRole(ROLE_ID, REQUEST=req) # Readd the role for the manage_* methods zrm.addRole(ROLE_ID) # test manage_assignRoleToPrincipal req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zrm.manage_assignRoleToPrincipals, ROLE_ID, [USER_ID], RESPONSE=res, REQUEST=req) req.set('REQUEST_METHOD', 'POST') zrm.manage_assignRoleToPrincipals(ROLE_ID, [USER_ID], RESPONSE=res, REQUEST=req) # test manage_removeRoleFromPricipal req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zrm.manage_removeRoleFromPrincipals, ROLE_ID, [USER_ID], RESPONSE=res, REQUEST=req) req.set('REQUEST_METHOD', 'POST') zrm.manage_removeRoleFromPrincipals(ROLE_ID, [USER_ID], RESPONSE=res, REQUEST=req) # test manage_removeRoles req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zrm.manage_removeRoles, [ROLE_ID], RESPONSE=res, REQUEST=req) req.set('REQUEST_METHOD', 'POST') zrm.manage_removeRoles([ROLE_ID], RESPONSE=res, REQUEST=req)
def testPOSTProtections(self): from zExceptions import Forbidden USER_ID = 'testuser' ROLE_ID = 'myrole' root = FauxPAS() zrm = self._makeOne( id='remove_existing' ).__of__( root ) zrm = self._makeOne() zrm.addRole(ROLE_ID) user = DummyUser( USER_ID ) req, res = makeRequestAndResponse() # Fails with a GET # test assignRoleToPrincipal req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zrm.assignRoleToPrincipal, ROLE_ID, USER_ID, REQUEST=req) # Works with a POST req.set('REQUEST_METHOD', 'POST') zrm.assignRoleToPrincipal(ROLE_ID, USER_ID, REQUEST=req) # test removeRoleFromPricipal req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zrm.removeRoleFromPrincipal, ROLE_ID, USER_ID, REQUEST=req) req.set('REQUEST_METHOD', 'POST') zrm.removeRoleFromPrincipal(ROLE_ID, USER_ID, REQUEST=req) # test removeRole req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zrm.removeRole, ROLE_ID, REQUEST=req) req.set('REQUEST_METHOD', 'POST') zrm.removeRole(ROLE_ID, REQUEST=req) # Readd the role for the manage_* methods zrm.addRole(ROLE_ID) # test manage_assignRoleToPrincipal req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zrm.manage_assignRoleToPrincipals, ROLE_ID, [USER_ID], RESPONSE=res, REQUEST=req) req.set('REQUEST_METHOD', 'POST') zrm.manage_assignRoleToPrincipals(ROLE_ID, [USER_ID], RESPONSE=res, REQUEST=req) # test manage_removeRoleFromPricipal req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zrm.manage_removeRoleFromPrincipals, ROLE_ID, [USER_ID], RESPONSE=res, REQUEST=req) req.set('REQUEST_METHOD', 'POST') zrm.manage_removeRoleFromPrincipals(ROLE_ID, [USER_ID], RESPONSE=res, REQUEST=req) # test manage_removeRoles req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zrm.manage_removeRoles, [ROLE_ID], RESPONSE=res, REQUEST=req) req.set('REQUEST_METHOD', 'POST') zrm.manage_removeRoles([ROLE_ID], RESPONSE=res, REQUEST=req)
def testPOSTProtections(self): from zExceptions import Forbidden USER_ID = 'testuser' GROUP_ID = 'testgroup' zgm = self._makeOne() zgm.prefix = 'prefixed_' zgm.addGroup(GROUP_ID) user = DummyUser(USER_ID) req, res = makeRequestAndResponse() # test addPrincipalToGroup # Fails with a GET req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zgm.addPrincipalToGroup, USER_ID, GROUP_ID, REQUEST=req) # Works with a POST req.set('REQUEST_METHOD', 'POST') zgm.addPrincipalToGroup(USER_ID, GROUP_ID, REQUEST=req) # test removePrincipalFromGroup req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zgm.removePrincipalFromGroup, USER_ID, GROUP_ID, REQUEST=req) # Works with a POST req.set('REQUEST_METHOD', 'POST') zgm.removePrincipalFromGroup(USER_ID, GROUP_ID, REQUEST=req) # test manage_addPrincipalsToGroup req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zgm.manage_addPrincipalsToGroup, GROUP_ID, [USER_ID], REQUEST=req) req.set('REQUEST_METHOD', 'POST') zgm.manage_addPrincipalsToGroup(GROUP_ID, [USER_ID], REQUEST=req) # test manage_removePrincipalsFromGroup req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zgm.manage_removePrincipalsFromGroup, GROUP_ID, [USER_ID], REQUEST=req) req.set('REQUEST_METHOD', 'POST') zgm.manage_removePrincipalsFromGroup(GROUP_ID, [USER_ID], REQUEST=req) # test manage_removeGroup req.set('REQUEST_METHOD', 'GET') self.assertRaises(Forbidden, zgm.manage_removeGroups, [GROUP_ID], REQUEST=req) # Works with a POST req.set('REQUEST_METHOD', 'POST') zgm.manage_removeGroups([GROUP_ID], REQUEST=req)