Changing browser:view registrations to browser:page since view doesn't actually do anything with the permissions. This fixes the anyone can delete comments problem. evilbungle branch merge.
svn path=/plone.app.discussion/trunk/; revision=30665
This commit is contained in:
Timo Stollenwerk
parent
78d547daa6
commit
7cd9ef2491
|
|
@ -36,7 +36,7 @@
|
||||||
/>
|
/>
|
||||||
|
|
||||||
<!-- Delete comment view -->
|
<!-- Delete comment view -->
|
||||||
<browser:view
|
<browser:page
|
||||||
for="plone.app.discussion.interfaces.IComment"
|
for="plone.app.discussion.interfaces.IComment"
|
||||||
name="moderate-delete-comment"
|
name="moderate-delete-comment"
|
||||||
layer="..interfaces.IDiscussionLayer"
|
layer="..interfaces.IDiscussionLayer"
|
||||||
|
|
@ -45,7 +45,7 @@
|
||||||
/>
|
/>
|
||||||
|
|
||||||
<!-- Publish comment view -->
|
<!-- Publish comment view -->
|
||||||
<browser:view
|
<browser:page
|
||||||
for="plone.app.discussion.interfaces.IComment"
|
for="plone.app.discussion.interfaces.IComment"
|
||||||
name="moderate-publish-comment"
|
name="moderate-publish-comment"
|
||||||
layer="..interfaces.IDiscussionLayer"
|
layer="..interfaces.IDiscussionLayer"
|
||||||
|
|
|
||||||
|
|
@ -4,6 +4,8 @@ from zope.component import createObject
|
||||||
|
|
||||||
from zope.interface import alsoProvides
|
from zope.interface import alsoProvides
|
||||||
|
|
||||||
|
from AccessControl import Unauthorized
|
||||||
|
|
||||||
from Products.PloneTestCase.ptc import PloneTestCase
|
from Products.PloneTestCase.ptc import PloneTestCase
|
||||||
|
|
||||||
from plone.app.discussion.tests.layer import DiscussionLayer
|
from plone.app.discussion.tests.layer import DiscussionLayer
|
||||||
|
|
@ -67,20 +69,47 @@ class TestCommentOperations(PloneTestCase):
|
||||||
alsoProvides(self.portal.REQUEST, IDiscussionLayer)
|
alsoProvides(self.portal.REQUEST, IDiscussionLayer)
|
||||||
|
|
||||||
def test_delete(self):
|
def test_delete(self):
|
||||||
pass
|
self.portal.REQUEST.form['comment_id'] = self.comment_id
|
||||||
#self.portal.REQUEST.form['comment_id'] = self.comment_id
|
view = self.comment.restrictedTraverse('@@moderate-delete-comment')
|
||||||
#view = self.comment.restrictedTraverse('@@moderate-delete-comment')
|
view()
|
||||||
#view()
|
self.failIf(self.comment_id in self.conversation.objectIds())
|
||||||
#self.failIf(self.comment_id in self.conversation.objectIds())
|
|
||||||
|
def test_delete_as_anonymous(self):
|
||||||
|
# Make sure that anonymous users can not delete comments
|
||||||
|
self.logout()
|
||||||
|
self.portal.REQUEST.form['comment_id'] = self.comment_id
|
||||||
|
self.assertRaises(Unauthorized,
|
||||||
|
self.comment.restrictedTraverse,
|
||||||
|
'@@moderate-delete-comment')
|
||||||
|
self.failUnless(self.comment_id in self.conversation.objectIds())
|
||||||
|
|
||||||
|
def test_delete_as_user(self):
|
||||||
|
# Make sure that members can not delete comments
|
||||||
|
self.logout()
|
||||||
|
self.setRoles(('Member',))
|
||||||
|
self.portal.REQUEST.form['comment_id'] = self.comment_id
|
||||||
|
self.assertRaises(Unauthorized,
|
||||||
|
self.comment.restrictedTraverse,
|
||||||
|
'@@moderate-delete-comment')
|
||||||
|
self.failUnless(self.comment_id in self.conversation.objectIds())
|
||||||
|
|
||||||
def test_publish(self):
|
def test_publish(self):
|
||||||
pass
|
self.portal.REQUEST.form['comment_id'] = self.comment_id
|
||||||
#self.portal.REQUEST.form['comment_id'] = self.comment_id
|
self.portal.REQUEST.form['action'] = 'publish'
|
||||||
#self.portal.REQUEST.form['action'] = 'publish'
|
self.assertEquals('pending', self.portal.portal_workflow.getInfoFor(self.comment, 'review_state'))
|
||||||
#self.assertEquals('pending', self.portal.portal_workflow.getInfoFor(self.comment, 'review_state'))
|
view = self.comment.restrictedTraverse('@@moderate-publish-comment')
|
||||||
#view = self.reply.restrictedTraverse('@@review-publish-comment')
|
view()
|
||||||
#view()
|
self.assertEquals('published', self.portal.portal_workflow.getInfoFor(self.comment, 'review_state'))
|
||||||
#self.assertEquals('published', self.portal.portal_workflow.getInfoFor(self.comment, 'review_state'))
|
|
||||||
|
def test_publish_as_anonymous(self):
|
||||||
|
self.logout()
|
||||||
|
self.portal.REQUEST.form['comment_id'] = self.comment_id
|
||||||
|
self.portal.REQUEST.form['action'] = 'publish'
|
||||||
|
self.assertEquals('pending', self.portal.portal_workflow.getInfoFor(self.comment, 'review_state'))
|
||||||
|
self.assertRaises(Unauthorized,
|
||||||
|
self.comment.restrictedTraverse,
|
||||||
|
'@@moderate-publish-comment')
|
||||||
|
self.assertEquals('pending', self.portal.portal_workflow.getInfoFor(self.comment, 'review_state'))
|
||||||
|
|
||||||
def test_suite():
|
def test_suite():
|
||||||
return unittest.defaultTestLoader.loadTestsFromName(__name__)
|
return unittest.defaultTestLoader.loadTestsFromName(__name__)
|
||||||
Loading…
Reference in New Issue