[TurboGears] Bug in identity.SecureResource

Thu, 28 Sep 2006 08:09:03 -0700 

Hi,

I've stumbled across a bug in identity.SecureResource.

The problem is that throwing an identity.IdentityException inside a
controller method is not caught by identity.SecureResource, as described
in the Documentation
(http://docs.turbogears.org/1.0/IdentityManagment ).  Attached is a
patch to test_identity.py (against the 1.0 branch) which adds some new
test cases to illustrate what I mean.

Should I open a ticket for this?

-- 
Peter S Russell <[EMAIL PROTECTED]>
Qustom


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"TurboGears" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/turbogears
-~----------~----~----~----~------~----~------~--~---

Index: turbogears/identity/tests/test_identity.py
===================================================================
--- turbogears/identity/tests/test_identity.py	(revision 1932)
+++ turbogears/identity/tests/test_identity.py	(working copy)
@@ -15,6 +15,33 @@
         return "restricted_index"
     index = turbogears.expose()(index)
 
+
+    def in_admin_group(self):
+        return 'in_admin_group'
+    in_admin_group = turbogears.expose()(in_admin_group)
+    in_admin_group = identity.require(identity.in_group('admin'))(in_admin_group)
+
+    def in_other_group(self):
+        return 'in_other_group'
+    in_other_group = turbogears.expose()(in_other_group)
+    in_other_group = identity.require(identity.in_group('other'))(in_other_group)
+
+    def in_admin_group_explicit_check(self):
+        if 'admin' not in identity.current.groups:
+            raise identity.IdentityException
+        else:
+            return 'in_admin_group'
+    in_admin_group_explicit_check = turbogears.expose()(
+        in_admin_group_explicit_check)
+
+    def in_other_group_explicit_check(self):
+        if 'other' not in identity.current.groups:
+            raise identity.IdentityException
+        else:
+            return 'in_other_group'
+    in_other_group_explicit_check = turbogears.expose()(
+        in_other_group_explicit_check)
+
 class IdentityRoot(turbogears.controllers.RootController):
     
     def index(self):
@@ -23,7 +50,8 @@
     
     def identity_failed(self):
         return 'identity_failed'
-    
+    identity_failed = turbogears.expose()(identity_failed)
+
     [EMAIL PROTECTED]()
     [EMAIL PROTECTED](identity.not_anonymous())
     def logged_in_only(self):
@@ -99,13 +127,16 @@
             user = TG_User(user_name='samIam', email_address='[EMAIL PROTECTED]', 
                             display_name='Samuel Amicus', password='secret')
             peon_group = TG_Group(group_name="peon", display_name="Regular Peon")
-            admin_group = TG_Group(group_name="admin", display_name="Adiministrator")
+            admin_group = TG_Group(group_name="admin", display_name="Administrator")
+            other_group = TG_Group(group_name="other",
+        			   display_name="Another Group")
             chopper_perm = TG_Permission(permission_name='chops_wood', description="Wood Chopper")
             boss_perm = TG_Permission(permission_name='bosses_people', description="Benevolent Dictator")
 
             peon_group.addTG_Permission(chopper_perm)
             admin_group.addTG_Permission(boss_perm)
             user.addTG_Group(peon_group)
+            user.addTG_Group(other_group)
         
     def test_user_password_parameters(self):
         "Controller can receive user_name and password parameters."
@@ -259,6 +290,35 @@
         firstline = cherrypy.response.body[0]
         assert 'restricted_index' in firstline, firstline
           
+    def test_decoratator_in_restricted_subdirectory(self):
+        """Test that we can require a different permission in a
+        protected subdirectory."""
+        testutil.create_request('/peon_area/in_other_group?user_name=samIam&password=secret&login=Login')
+        firstline = cherrypy.response.body[0]
+        assert 'in_other_group' in firstline, firstline
+
+    def test_decoratator_failure_in_restricted_subdirectory(self):
+        """Test that we can get an identity failure from a decorator
+        in a restricted subdirectory"""
+        testutil.create_request('/peon_area/in_admin_group?user_name=samIam&password=secret&login=Login')
+        firstline = cherrypy.response.body[0]
+        assert 'identity_failed' in firstline, firstline
+        
+    def test_explicit_checks_in_restricted_subdirectory(self):
+        """Test that explicit permission checks in a protected
+        directory is handled as expected"""
+        testutil.create_request('/peon_area/in_other_group_explicit_check?user_name=samIam&password=secret&login=Login')
+        firstline = cherrypy.response.body[0]
+        assert 'in_other_group' in firstline, firstline
+
+    def test_throwing_identity_exception_in_restricted_subdirectory(self):
+        """Test that throwing an IdentityException in a protected
+        directory is handled as expected"""
+        testutil.create_request('/peon_area/in_admin_group_explicit_check?user_name=samIam&password=secret&login=Login')
+        firstline = cherrypy.response.body[0]
+        assert 'identity_failed' in firstline, firstline
+        
+
     def tearDown(self):
         turbogears.config.update({'visit.on': self._original_visit_state, 
                                 'identity.on': self._original_identity_state,

Reply via email to