Roy Mathew wrote:
> I find that testing for security is hard, since the default user in
> the doctests seems to have "unrestricted" access to all methods and
> attributes. Is there a "unit-test friendly" way of faking a user
> with a more restricted role, so that I can reproduce security errors
> in unit tests?

Are you actually talking about functional tests, instead of unit tests?
  If so, you are probably sending the "mgr:mgrpw" credentials at the
begining of the test, you'll need to set up another non-admin user
(probably in, or included by, ftesting.zcml or the ZCML you use for your
test layer).  Once you have that user, you can use those credentials

If you're really talking about unit tests, then "security" doesn't
really apply: your domain objects don't generally "know" anything about
their security, it's all mediated by Zope.

There are such methods like canAccess that can sometimes be unit
tested. I think you can use defineChecker in such cases:

   >>> from import defineChecker, Checker
   >>> defineChecker(Calendar,
   ...               Checker({'addEvent': 'zope.Public'},
   ...                       {'addEvent': 'zope.Public'}))

makes addEvent look like protected by zope.Public for the canAccess
function. Hope that helps.

Zope3-dev mailing list

Reply via email to