Davis, Michael wrote: > > I'm upgrading PloneSurvey to plone 3.3.5, but two tests are still failing. > > Essentially the test is checking that an Unauthorized exception is raised > when a method is called as anonymous, as the method is protected with > ModifyPortalContent permission. However, anonymous can call the method > fine > without having that permission. Changing the method protection to > declarePrivate also doesn't raise an exception. It looks like the security > context is not checked when called this was through a unit test. The > protection works fine testing manually ttw. >
Security checks are only performed when the code is executed as RestrictedPython (through-the-web) script. RestrictedPython will get special security manager call-proxies put in *during compiling time*. You need to compile your .py file as Zope Python script, or the security does not take place. Unit tests are executed as normal Python application code. So security applies only if you 1) execute code in throught-the-web script 2) call method by HTTP traversing. Very confusing. The whole RestrictedPython or through-the-web scripting has turned out be bad idea (Python sandboxing idea was abandon by Python developers long time ago) and you really should use BrowserViews from Zope 3 for everything for new code, which make security more apparent. More info: http://plone.org/documentation/manual/plone-community-developer-documentation/security-1/sandboxing ----- Mikko Ohtamaa mFabrik - Freedom Delivered. Web site - http://mfabrik.com Mobile site - http://mfabrik.mobi Blog - http://blog.mfabrik.com -- View this message in context: http://plone.293351.n2.nabble.com/DeclareProtected-being-skipped-from-unit-test-tp5578954p5583496.html Sent from the Product Developers mailing list archive at Nabble.com. _______________________________________________ Product-Developers mailing list [email protected] http://lists.plone.org/mailman/listinfo/product-developers
