Changing browser:view registrations to browser:page since view doesn't actually do anything with the permissions. This fixes the anyone can delete comments problem. evilbungle branch merge.

svn path=/plone.app.discussion/trunk/; revision=30665
This commit is contained in:
Timo Stollenwerk 2009-10-17 13:50:55 +00:00
parent 78d547daa6
commit 7cd9ef2491
2 changed files with 43 additions and 14 deletions

View File

@ -36,7 +36,7 @@
/> />
<!-- Delete comment view --> <!-- Delete comment view -->
<browser:view <browser:page
for="plone.app.discussion.interfaces.IComment" for="plone.app.discussion.interfaces.IComment"
name="moderate-delete-comment" name="moderate-delete-comment"
layer="..interfaces.IDiscussionLayer" layer="..interfaces.IDiscussionLayer"
@ -45,7 +45,7 @@
/> />
<!-- Publish comment view --> <!-- Publish comment view -->
<browser:view <browser:page
for="plone.app.discussion.interfaces.IComment" for="plone.app.discussion.interfaces.IComment"
name="moderate-publish-comment" name="moderate-publish-comment"
layer="..interfaces.IDiscussionLayer" layer="..interfaces.IDiscussionLayer"

View File

@ -4,6 +4,8 @@ from zope.component import createObject
from zope.interface import alsoProvides from zope.interface import alsoProvides
from AccessControl import Unauthorized
from Products.PloneTestCase.ptc import PloneTestCase from Products.PloneTestCase.ptc import PloneTestCase
from plone.app.discussion.tests.layer import DiscussionLayer from plone.app.discussion.tests.layer import DiscussionLayer
@ -67,20 +69,47 @@ class TestCommentOperations(PloneTestCase):
alsoProvides(self.portal.REQUEST, IDiscussionLayer) alsoProvides(self.portal.REQUEST, IDiscussionLayer)
def test_delete(self): def test_delete(self):
pass self.portal.REQUEST.form['comment_id'] = self.comment_id
#self.portal.REQUEST.form['comment_id'] = self.comment_id view = self.comment.restrictedTraverse('@@moderate-delete-comment')
#view = self.comment.restrictedTraverse('@@moderate-delete-comment') view()
#view() self.failIf(self.comment_id in self.conversation.objectIds())
#self.failIf(self.comment_id in self.conversation.objectIds())
def test_delete_as_anonymous(self):
# Make sure that anonymous users can not delete comments
self.logout()
self.portal.REQUEST.form['comment_id'] = self.comment_id
self.assertRaises(Unauthorized,
self.comment.restrictedTraverse,
'@@moderate-delete-comment')
self.failUnless(self.comment_id in self.conversation.objectIds())
def test_delete_as_user(self):
# Make sure that members can not delete comments
self.logout()
self.setRoles(('Member',))
self.portal.REQUEST.form['comment_id'] = self.comment_id
self.assertRaises(Unauthorized,
self.comment.restrictedTraverse,
'@@moderate-delete-comment')
self.failUnless(self.comment_id in self.conversation.objectIds())
def test_publish(self): def test_publish(self):
pass self.portal.REQUEST.form['comment_id'] = self.comment_id
#self.portal.REQUEST.form['comment_id'] = self.comment_id self.portal.REQUEST.form['action'] = 'publish'
#self.portal.REQUEST.form['action'] = 'publish' self.assertEquals('pending', self.portal.portal_workflow.getInfoFor(self.comment, 'review_state'))
#self.assertEquals('pending', self.portal.portal_workflow.getInfoFor(self.comment, 'review_state')) view = self.comment.restrictedTraverse('@@moderate-publish-comment')
#view = self.reply.restrictedTraverse('@@review-publish-comment') view()
#view() self.assertEquals('published', self.portal.portal_workflow.getInfoFor(self.comment, 'review_state'))
#self.assertEquals('published', self.portal.portal_workflow.getInfoFor(self.comment, 'review_state'))
def test_publish_as_anonymous(self):
self.logout()
self.portal.REQUEST.form['comment_id'] = self.comment_id
self.portal.REQUEST.form['action'] = 'publish'
self.assertEquals('pending', self.portal.portal_workflow.getInfoFor(self.comment, 'review_state'))
self.assertRaises(Unauthorized,
self.comment.restrictedTraverse,
'@@moderate-publish-comment')
self.assertEquals('pending', self.portal.portal_workflow.getInfoFor(self.comment, 'review_state'))
def test_suite(): def test_suite():
return unittest.defaultTestLoader.loadTestsFromName(__name__) return unittest.defaultTestLoader.loadTestsFromName(__name__)