openerp/tests/test_acl.py

   1 import unittest2
   2 from lxml import etree
   3
   4 import common
   5
   6 # test group that demo user should not have
   7 GROUP_TECHNICAL_FEATURES = 'base.group_no_one'
   8
   9 class TestACL(common.TransactionCase):
  10
  11     def setUp(self):
  12         super(TestACL, self).setUp()
  13         self.res_currency = self.registry('res.currency')
  14         self.res_partner = self.registry('res.partner')
  15         self.res_users = self.registry('res.users')
  16         self.demo_uid = 3
  17         self.tech_group = self.registry('ir.model.data').get_object(self.cr, self.uid,
  18                                                                     *(GROUP_TECHNICAL_FEATURES.split('.')))
  19
  20     def test_field_visibility_restriction(self):
  21         """Check that model-level ``groups`` parameter effectively restricts access to that
  22            field for users who do not belong to one of the explicitly allowed groups"""
  23         # Verify the test environment first
  24         original_fields = self.res_currency.fields_get(self.cr, self.demo_uid, [])
  25         form_view = self.res_currency.fields_view_get(self.cr, self.demo_uid, False, 'form')
  26         view_arch = etree.fromstring(form_view.get('arch'))
  27         has_tech_feat = self.res_users.has_group(self.cr, self.demo_uid, GROUP_TECHNICAL_FEATURES)
  28         self.assertFalse(has_tech_feat, "`demo` user should not belong to the restricted group before the test")
  29         self.assertTrue('rate' in original_fields, "'rate' field must be properly visible before the test")
  30         self.assertNotEquals(view_arch.xpath("//field[@name='rate']"), [],
  31                              "Field 'rate' must be found in view definition before the test")
  32
  33         # Restrict access to the field and check it's gone
  34         self.res_currency._columns['rate'].groups = GROUP_TECHNICAL_FEATURES
  35         fields = self.res_currency.fields_get(self.cr, self.demo_uid, [])
  36         form_view = self.res_currency.fields_view_get(self.cr, self.demo_uid, False, 'form')
  37         view_arch = etree.fromstring(form_view.get('arch'))
  38         self.assertFalse('rate' in fields, "'rate' field should be gone")
  39         self.assertEquals(view_arch.xpath("//field[@name='rate']"), [],
  40                              "Field 'rate' must not be found in view definition")
  41
  42         # Make demo user a member of the restricted group and check that the field is back
  43         self.tech_group.write({'users': [(4, self.demo_uid)]})
  44         has_tech_feat = self.res_users.has_group(self.cr, self.demo_uid, GROUP_TECHNICAL_FEATURES)
  45         fields = self.res_currency.fields_get(self.cr, self.demo_uid, [])
  46         form_view = self.res_currency.fields_view_get(self.cr, self.demo_uid, False, 'form')
  47         view_arch = etree.fromstring(form_view.get('arch'))
  48         #import pprint; pprint.pprint(fields); pprint.pprint(form_view)
  49         self.assertTrue(has_tech_feat, "`demo` user should now belong to the restricted group")
  50         self.assertTrue('rate' in fields, "'rate' field must be properly visible again")
  51         self.assertNotEquals(view_arch.xpath("//field[@name='rate']"), [],
  52                              "Field 'rate' must be found in view definition again")
  53
  54         #cleanup
  55         self.tech_group.write({'users': [(3, self.demo_uid)]})
  56         self.res_currency._columns['rate'].groups = False
  57
  58     def test_field_crud_restriction(self):
  59         "Read/Write RPC access to restricted field should be forbidden"
  60         # Verify the test environment first
  61         has_tech_feat = self.res_users.has_group(self.cr, self.demo_uid, GROUP_TECHNICAL_FEATURES)
  62         self.assertFalse(has_tech_feat, "`demo` user should not belong to the restricted group")
  63         self.assert_(self.res_partner.read(self.cr, self.demo_uid, [1], ['bank_ids']))
  64         self.assert_(self.res_partner.write(self.cr, self.demo_uid, [1], {'bank_ids': []}))
  65
  66         # Now restrict access to the field and check it's forbidden
  67         self.res_partner._columns['bank_ids'].groups = GROUP_TECHNICAL_FEATURES
  68         # FIXME TODO: enable next tests when access rights checks per field are implemented
  69         # from openerp.osv.orm import except_orm
  70         # with self.assertRaises(except_orm):
  71         #     self.res_partner.read(self.cr, self.demo_uid, [1], ['bank_ids'])
  72         # with self.assertRaises(except_orm):
  73         #     self.res_partner.write(self.cr, self.demo_uid, [1], {'bank_ids': []})
  74
  75         # Add the restricted group, and check that it works again
  76         self.tech_group.write({'users': [(4, self.demo_uid)]})
  77         has_tech_feat = self.res_users.has_group(self.cr, self.demo_uid, GROUP_TECHNICAL_FEATURES)
  78         self.assertTrue(has_tech_feat, "`demo` user should now belong to the restricted group")
  79         self.assert_(self.res_partner.read(self.cr, self.demo_uid, [1], ['bank_ids']))
  80         self.assert_(self.res_partner.write(self.cr, self.demo_uid, [1], {'bank_ids': []}))
  81
  82         #cleanup
  83         self.tech_group.write({'users': [(3, self.demo_uid)]})
  84         self.res_partner._columns['bank_ids'].groups = False
  85
  86 if __name__ == '__main__':
  87     unittest2.main()
  88
  89 # vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4: