Plone 3.0 ftest failure with published folder and anonymous access

Derek Richardson derek.richardson at gatech.edu
Thu Aug 23 13:22:27 UTC 2007


A revised version of the doctest post. I believe this one clearly shows
a defect in content_status_modify() and I plan to log this as a bug.
However, what I *really* need is a *workaround* - anyone got one?

Step zero is paying attention to all exceptions and making the implicit
user a Manager so she can create a folder. The buildout was created with
'verbose-security on'.

     >>> self.portal.error_log._ignored_exceptions = ()
     >>> self.setRoles(['Manager'])

First, let's set up a new folder.

     >>> location = self.portal
     >>> ignore = location.invokeFactory('Folder', id='fubar', title='title')
     >>> item = location['fubar']

Now, let's try to access the folder as a anonymous user. If you don't get
an 'Unauthorized' error, then you don't have verbose security turned on. By
the way, the detailed HTML error message makes this impossible to trap in
a doctest, so, if you run this test, you'll have to try once with this
open() enabled and see the Unauthorized and then comment out the open() so
that you can get to the second part fo the test. Boo!

     >>> from Products.Five.testbrowser import Browser
     >>> browser = Browser()
     >>> browser.handleErrors = False
     >>> browser.open(item.absolute_url())
         Traceback (most recent call last):
           ...
             Unauthorized: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 
Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
           ...

Now, get a reference to the workflow tool.

     >>> from Products.CMFPlone.utils import getToolByName
     >>> wftool = getToolByName(item, 'portal_workflow')

Check the workflow state on the new folder - it's 'private'

     >>> wftool.getInfoFor(item, 'review_state')
         'private'

Note that Anonymous has no View or List folder contents permissions on the
item in this workflow state.

     >>> [x for x in item.permissionsOfRole('Anonymous') if x['name']=='View']
         [{'selected': '', 'name': 'View'}]
     >>> [x for x in item.permissionsOfRole('Anonymous') if x['name']=='List 
folder contents']
         [{'selected': '', 'name': 'List folder contents'}]

So, let's change the workflow state by publishing

     >>> item.content_status_modify(workflow_action='publish')
         'http://nohost/plone/fubar/'

Now, the workflow state is 'published'

     >>> wftool.getInfoFor(item, 'review_state')
         'published'

And, in this new state, Anonymous *can* view the item and *can* list the
contents of the folder.

     >>> [x for x in item.permissionsOfRole('Anonymous') if x['name']=='View']
         [{'selected': 'SELECTED', 'name': 'View'}]
     >>> [x for x in item.permissionsOfRole('Anonymous') if x['name']=='List 
folder contents']
         [{'selected': 'SELECTED', 'name': 'List folder contents'}]

Just in case, let's commit to the ZODB.

     >>> import transaction
     >>> #transaction.commit()
     >>> savepoint = transaction.savepoint(optimistic=True)

OK, now Anonymous should be able to see the item, right? Wrong. The Anonymous
user gets the login page when attempting to access the item. Plus, we don't
get any exceptions, even with 'verbose-security on' in our buildout instance's
zope.conf:

     >>> browser.open(item.absolute_url())
     >>> 'Forgot your password?' in browser.contents
     False

Publishing seems to only be partially effective - it prevents the Unauthorized
error, but the login page still appears. How can the user be handed the login
page without the Unauthorized error being tripped?





More information about the Product-Developers mailing list