[PATCH saem v2] [security] Fix permissions for EAC relation entity types

Sylvain Thenault sylvain.thenault at logilab.fr
Tue Apr 25 15:07:29 CEST 2017


# HG changeset patch
# User Sylvain Thénault <sylvain.thenault at logilab.fr>
# Date 1492766455 -7200
#      Fri Apr 21 11:20:55 2017 +0200
# Node ID 325e05b852bea0350fd38382c5f7461e97e08ef8
# Parent  390a4f075ad402d3fc81dbb7e45f1634efa58e30
# Available At http://hg.logilab.org/review/cubes/saem_ref
#              hg pull http://hg.logilab.org/review/cubes/saem_ref -r 325e05b852be
[security] Fix permissions for EAC relation entity types

They are not part of the compound graph, hence have default permission where
only owner can update, which is not what we expect.

Add more testing about this.

Closes extranet #18336405

diff --git a/cubicweb_saem_ref/migration/0.15.3_Any.py b/cubicweb_saem_ref/migration/0.15.3_Any.py
new file mode 100644
--- /dev/null
+++ b/cubicweb_saem_ref/migration/0.15.3_Any.py
@@ -0,0 +1,2 @@
+for etype in ('ChronologicalRelation', 'HierarchicalRelation', 'AssociationRelation'):
+    sync_schema_props_perms(etype)
diff --git a/cubicweb_saem_ref/schema.py b/cubicweb_saem_ref/schema.py
--- a/cubicweb_saem_ref/schema.py
+++ b/cubicweb_saem_ref/schema.py
@@ -102,10 +102,20 @@ eac.agent_kind.constraints = [
                   'EXISTS(OU authority_record S, OU is IN (Organization, OrganizationUnit), '
                   '       O name "authority")',
                   msg=_('This record is used by a relation forbidding to change its type')),
 ]
 
+for etype_def in (eac.ChronologicalRelation,
+                  eac.HierarchicalRelation,
+                  eac.AssociationRelation):
+    etype_def.__permissions__ = {
+        'read': ('managers', 'users', 'guests'),
+        'add': ('managers', 'users'),
+        'update': ('managers', 'users'),
+        'delete': ('managers', 'users'),
+    }
+
 
 # Customization of skos schema.
 make_workflowable(ConceptScheme)
 publication_permissions(ConceptScheme)
 
diff --git a/test/test_security.py b/test/test_security.py
--- a/test/test_security.py
+++ b/test/test_security.py
@@ -13,10 +13,11 @@
 #
 # You should have received a copy of the GNU Lesser General Public License along
 # with this program. If not, see <http://www.gnu.org/licenses/>.
 """Functional security tests."""
 
+from datetime import date
 from cubicweb.devtools.testlib import CubicWebTC
 
 import testutils
 
 
@@ -39,10 +40,14 @@ class NonManagerUserTC(CubicWebTC):
             cnx.commit()
 
         self.authority_eid = authority.eid
 
     def test_create_update_authorityrecord(self):
+        with self.admin_access.cnx() as cnx:
+            admin_arecord_eid = testutils.authority_record(cnx, name=u'admin').eid
+            cnx.commit()
+
         with self.new_access(self.login).cnx() as cnx:
             arecord = testutils.authority_record(cnx, name=u'a')
             cnx.commit()
             arecord.cw_set(record_id=u'123')
             cnx.commit()
@@ -50,10 +55,39 @@ class NonManagerUserTC(CubicWebTC):
             # can change kind (unless used in constrained relation, but this is tested in
             # unittest_schema)
             arecord.cw_set(agent_kind=cnx.find('AgentKind', name=u'authority').one())
             cnx.commit()
 
+            # can modify record created by someone else
+            admin_arecord = cnx.entity_from_eid(admin_arecord_eid)
+            admin_arecord.cw_set(record_id=u'123')
+            cnx.commit()
+
+        # can create relation and modify those created by someone else
+        for rel_etype, rel_from_rtype, rel_to_rtype in [
+                ('ChronologicalRelation', 'chronological_predecessor', 'chronological_successor'),
+                ('HierarchicalRelation', 'hierarchical_parent', 'hierarchical_child'),
+                ('AssociationRelation', 'association_from', 'association_to'),
+        ]:
+            with self.admin_access.cnx() as cnx:
+                # can create / update relation
+                relation_eid = cnx.create_entity(
+                    rel_etype, **{rel_from_rtype: admin_arecord_eid,
+                                  rel_to_rtype: arecord}).eid
+                cnx.commit()
+
+            with self.new_access(self.login).cnx() as cnx:
+                relation = cnx.entity_from_eid(relation_eid)
+                relation.cw_set(
+                    start_date=date.today(), **{rel_from_rtype: arecord,
+                                                rel_to_rtype: admin_arecord_eid})
+                cnx.commit()
+                cnx.create_entity(
+                    rel_etype, **{rel_from_rtype: admin_arecord_eid,
+                                  rel_to_rtype: arecord})
+                cnx.commit()
+
     def test_create_update_sedaprofile(self):
         with self.new_access(self.login).cnx() as cnx:
             profile = testutils.setup_profile(cnx)
             cnx.commit()
             profile.cw_set(user_annotation=u'meh')


More information about the saem-devel mailing list