Changing browser:view registrations to browser:page since view doesn't actually do anything with the permissions. This fixes the anyone can delete comments problem. evilbungle branch merge.

svn path=/plone.app.discussion/trunk/; revision=30665
This commit is contained in:
Timo Stollenwerk 2009-10-17 13:50:55 +00:00
parent 78d547daa6
commit 7cd9ef2491
2 changed files with 43 additions and 14 deletions

View File

@ -36,7 +36,7 @@
/>
<!-- Delete comment view -->
<browser:view
<browser:page
for="plone.app.discussion.interfaces.IComment"
name="moderate-delete-comment"
layer="..interfaces.IDiscussionLayer"
@ -45,7 +45,7 @@
/>
<!-- Publish comment view -->
<browser:view
<browser:page
for="plone.app.discussion.interfaces.IComment"
name="moderate-publish-comment"
layer="..interfaces.IDiscussionLayer"

View File

@ -4,6 +4,8 @@ from zope.component import createObject
from zope.interface import alsoProvides
from AccessControl import Unauthorized
from Products.PloneTestCase.ptc import PloneTestCase
from plone.app.discussion.tests.layer import DiscussionLayer
@ -67,20 +69,47 @@ class TestCommentOperations(PloneTestCase):
alsoProvides(self.portal.REQUEST, IDiscussionLayer)
def test_delete(self):
pass
#self.portal.REQUEST.form['comment_id'] = self.comment_id
#view = self.comment.restrictedTraverse('@@moderate-delete-comment')
#view()
#self.failIf(self.comment_id in self.conversation.objectIds())
self.portal.REQUEST.form['comment_id'] = self.comment_id
view = self.comment.restrictedTraverse('@@moderate-delete-comment')
view()
self.failIf(self.comment_id in self.conversation.objectIds())
def test_delete_as_anonymous(self):
# Make sure that anonymous users can not delete comments
self.logout()
self.portal.REQUEST.form['comment_id'] = self.comment_id
self.assertRaises(Unauthorized,
self.comment.restrictedTraverse,
'@@moderate-delete-comment')
self.failUnless(self.comment_id in self.conversation.objectIds())
def test_delete_as_user(self):
# Make sure that members can not delete comments
self.logout()
self.setRoles(('Member',))
self.portal.REQUEST.form['comment_id'] = self.comment_id
self.assertRaises(Unauthorized,
self.comment.restrictedTraverse,
'@@moderate-delete-comment')
self.failUnless(self.comment_id in self.conversation.objectIds())
def test_publish(self):
pass
#self.portal.REQUEST.form['comment_id'] = self.comment_id
#self.portal.REQUEST.form['action'] = 'publish'
#self.assertEquals('pending', self.portal.portal_workflow.getInfoFor(self.comment, 'review_state'))
#view = self.reply.restrictedTraverse('@@review-publish-comment')
#view()
#self.assertEquals('published', self.portal.portal_workflow.getInfoFor(self.comment, 'review_state'))
self.portal.REQUEST.form['comment_id'] = self.comment_id
self.portal.REQUEST.form['action'] = 'publish'
self.assertEquals('pending', self.portal.portal_workflow.getInfoFor(self.comment, 'review_state'))
view = self.comment.restrictedTraverse('@@moderate-publish-comment')
view()
self.assertEquals('published', self.portal.portal_workflow.getInfoFor(self.comment, 'review_state'))
def test_publish_as_anonymous(self):
self.logout()
self.portal.REQUEST.form['comment_id'] = self.comment_id
self.portal.REQUEST.form['action'] = 'publish'
self.assertEquals('pending', self.portal.portal_workflow.getInfoFor(self.comment, 'review_state'))
self.assertRaises(Unauthorized,
self.comment.restrictedTraverse,
'@@moderate-publish-comment')
self.assertEquals('pending', self.portal.portal_workflow.getInfoFor(self.comment, 'review_state'))
def test_suite():
return unittest.defaultTestLoader.loadTestsFromName(__name__)