[Cubicweb] CubicWebTC / assertRaises / Unauthorized

Sylvain Thénault sylvain.thenault at logilab.fr
Tue Aug 17 08:38:34 CEST 2010

On 16 août 23:50, Carlos Balderas wrote:
> I made it work, but I still have some questions.
> For some tests, I need to use commit method to make them work, while in
> other ones it is not necessary.
> This code just works if I use commit method.
> (Line 172 of pastebin link)
>  # user1 cannot change others calendar events
> rql = 'SET C description "description test" WHERE C is CalendarEvent'\
>        ', C title "Calendar Event 1 Admin"'
> rset = req.execute(rql)
> self.assertRaises(Unauthorized, self.commit)
> and this one works without the commit method ....
> (Line 184 of pastebin link)
>  # user1 can add calendar event type ONLY to his own calendar events
>  rql = 'SET C event_type T WHERE C is CalendarEvent'\
>          ', C title "Calendar Event 1 Admin"'\
>          ', T is CalendarEventType, T type "Phone Call"'
> self.assertRaises(Unauthorized, req.execute, rql)
> Both try to make changes to database, one to an attribute, the other one to
> make a new relation, but I don't understand the behaivor.

That's because default rulles slightly vary according to relation type
(eg attribute relation or not). Here are the current rules:

1. permission to add/update entity and its attributes are checked:
   - on commit after the relation has been added
   - in after_update hook. If it fails at this time, it will be retried
     on commit (hence you get the permission if you have it just after
     the modification or *at* commit time)

2. permission to delete an entity is checked in before_delete hook

3. permission to add a relation is checked either:
   - in after_add hook (the default)
   - in before_add hook if the relation type is in the BEFORE_ADD_RELATIONS set
   - at commit time if the relatation type is in the ON_COMMIT_ADD_RELATIONS set

4. permission to delete a relation is checked in before_delete hook

Last but not least, remember queries issued from hooks and operation are 
by default 'unsafe', eg there are no read or write security checks.

See cw.hooks.security module for details.
Sylvain Thénault                               LOGILAB, Paris (France)
Formations Python, Debian, Méth. Agiles: http://www.logilab.fr/formations
Développement logiciel sur mesure:       http://www.logilab.fr/services
CubicWeb, the semantic web framework:    http://www.cubicweb.org

More information about the Cubicweb mailing list