[PATCH 1 of 3 saem v2] [test] Merge unittest_schema.SecurityTC into test_security

Sylvain Thenault sylvain.thenault at logilab.fr
Thu Apr 27 16:08:22 CEST 2017


# HG changeset patch
# User Sylvain Thénault <sylvain.thenault at logilab.fr>
# Date 1493285067 -7200
#      Thu Apr 27 11:24:27 2017 +0200
# Node ID 57d1eae376a36e5d6979b554bf5adb4e4928da6b
# Parent  806ad003d155caccb58edc493b6f8fb6aef1c57c
# Available At http://hg.logilab.org/review/cubes/saem_ref
#              hg pull http://hg.logilab.org/review/cubes/saem_ref -r 57d1eae376a3
[test] Merge unittest_schema.SecurityTC into test_security

diff --git a/test/test_security.py b/test/test_security.py
--- a/test/test_security.py
+++ b/test/test_security.py
@@ -276,10 +276,11 @@ class ManagerUserTC(CubicWebTC):
     """Tests checking that a user in "managers" group only can do things.
 
     Most of the times, we do not call any assertion method and only rely on no
     error being raised.
     """
+    assertUnauthorized = testutils.assertUnauthorized
 
     def test_create_update_organization(self):
         with self.admin_access.cnx() as cnx:
             org = testutils.authority_with_naa(cnx)
             cnx.commit()
@@ -299,9 +300,151 @@ class ManagerUserTC(CubicWebTC):
                                     who=u'123', what=u'443')
             cnx.commit()
             naa.cw_set(what=u'987')
             cnx.commit()
 
+    def test_authority_type(self):
+        with self.admin_access.repo_cnx() as cnx:
+            self.create_user(cnx, login=u'user', groups=('users',))
+            cnx.commit()
+        with self.new_access('user').client_cnx() as cnx:
+            with self.assertUnauthorized(cnx):
+                testutils.authority_with_naa(cnx, name=u'dream team')
+
+    def test_authority_relation(self):
+        with self.admin_access.repo_cnx() as cnx:
+            self.create_user(cnx, login=u'user', groups=('users',),
+                             authority=testutils.authority_with_naa(cnx))
+            agent = testutils.agent(cnx, u'user')
+            authority = testutils.authority_with_naa(cnx, name=u'dream team')
+            cnx.commit()
+            # even manager can't change an agent's authority
+            with self.assertUnauthorized(cnx):
+                agent.cw_set(authority=authority.eid)
+        with self.new_access('user').client_cnx() as cnx:
+            agent = cnx.entity_from_eid(agent.eid)
+            # user can't change its own authority
+            with self.assertUnauthorized(cnx):
+                agent.cw_set(authority=authority.eid)
+            # user can't create an agent in another authority than its own
+            with self.assertUnauthorized(cnx):
+                testutils.agent(cnx, u'new agent', authority=authority.eid)
+            # though he can add an agent to its own authority
+            testutils.agent(cnx, u'new agent')
+            cnx.commit()
+
+    def test_agent_user(self):
+        with self.admin_access.repo_cnx() as cnx:
+            user1 = self.create_user(cnx, login=u'user1', groups=('users',),
+                                     authority=testutils.authority_with_naa(cnx))
+            user2 = self.create_user(cnx, login=u'user2', groups=('users',),
+                                     authority=testutils.authority_with_naa(cnx))
+            agent = testutils.agent(cnx, u'user1', agent_user=user1)
+            cnx.commit()
+        with self.new_access('user1').client_cnx() as cnx:
+            agent = cnx.entity_from_eid(agent.eid)
+            # user can't change its own user
+            with self.assertUnauthorized(cnx):
+                agent.cw_set(agent_user=user2.eid)
+            with self.assertUnauthorized(cnx):
+                agent.cw_set(agent_user=None)
+            # user can't create an agent and specify its associated user
+            with self.assertUnauthorized(cnx):
+                testutils.agent(cnx, u'user2', agent_user=user2.eid)
+            agent2 = testutils.agent(cnx, u'user2')
+            cnx.commit()
+            with self.assertUnauthorized(cnx):
+                agent2.cw_set(agent_user=user2.eid)
+
+    def test_authority_record_base(self):
+        with self.admin_access.repo_cnx() as cnx:
+            self.create_user(cnx, login=u'toto', groups=('users', 'guests'),
+                             authority=testutils.authority_with_naa(cnx))
+            cnx.commit()
+        with self.new_access('toto').client_cnx() as cnx:
+            function = cnx.create_entity('AgentFunction', name=u'grouillot')
+            testutils.authority_record(cnx, u'bob', reverse_function_agent=function)
+            cnx.commit()
+        with self.admin_access.repo_cnx() as cnx:
+            cnx.execute('DELETE U in_group G WHERE U login "toto", G name "users"')
+            cnx.commit()
+        with self.new_access('toto').client_cnx() as cnx:
+            agent = cnx.find('AuthorityRecord', has_text=u'bob').one()
+            # guest user can't modify an authority record
+            with self.assertUnauthorized(cnx):
+                agent.cw_set(record_id=u'bobby')
+
+    def test_authority_record_wf_permissions(self):
+        with self.admin_access.repo_cnx() as cnx:
+            self.create_user(cnx, login=u'toto', groups=('users', 'guests'),
+                             authority=testutils.authority_with_naa(cnx))
+            cnx.commit()
+        with self.new_access('toto').client_cnx() as cnx:
+            function = cnx.create_entity('AgentFunction', name=u'grouillot')
+            record = testutils.authority_record(cnx, u'bob', reverse_function_agent=function)
+            cnx.commit()
+            iwf = record.cw_adapt_to('IWorkflowable')
+            iwf.fire_transition('publish')
+            cnx.commit()
+            # we can still modify a published record
+            record.reverse_name_entry_for[0].cw_set(parts=u'bobby')
+            function.cw_set(name=u'director')
+            cnx.commit()
+
+    def test_update_root_badgroup(self):
+        with self.admin_access.repo_cnx() as cnx:
+            self.create_user(cnx, login=u'toto', groups=('users', 'guests'))
+            cnx.commit()
+        with self.new_access('toto').client_cnx() as cnx:
+            testutils.setup_profile(cnx, title=u'pp')
+            cnx.commit()
+        with self.admin_access.repo_cnx() as cnx:
+            cnx.execute(
+                'DELETE U in_group G WHERE U login "toto", G name "users"')
+            cnx.commit()
+        with self.new_access('toto').client_cnx() as cnx:
+            profile = cnx.find('SEDAArchiveTransfer', title=u'pp').one()
+            with self.assertUnauthorized(cnx):
+                profile.cw_set(title=u'qq')
+
+    def test_sedaprofile_wf_permissions(self):
+        with self.admin_access.repo_cnx() as cnx:
+            profile = testutils.setup_profile(cnx, title=u'pp')
+            cnx.commit()
+            # Profile in draft, modifications are allowed.
+            profile.cw_set(title=u'ugh')
+            cnx.commit()
+            # Profile published, no modification allowed.
+            profile.cw_adapt_to('IWorkflowable').fire_transition('publish')
+            cnx.commit()
+
+    def test_conceptscheme_wf_permissions(self):
+        with self.admin_access.cnx() as cnx:
+            scheme = cnx.create_entity('ConceptScheme', ark_naa=testutils.naa(cnx))
+            cnx.commit()
+            # in draft, modifications are allowed.
+            concept = scheme.add_concept(u'blah')
+            cnx.commit()
+            # published, can't modify existing content.
+            scheme.cw_adapt_to('IWorkflowable').fire_transition('publish')
+            cnx.commit()
+            with self.assertUnauthorized(cnx):
+                scheme.cw_set(description=u'plop')
+            with self.assertUnauthorized(cnx):
+                concept.preferred_label[0].cw_set(label=u'plop')
+            # though addition of new concepts / labels is fine
+            new_concept = scheme.add_concept(u'plop')
+            cnx.commit()
+            new_label = cnx.create_entity('Label', label=u'arhg', label_of=concept)
+            cnx.commit()
+            # while deletion is fine for label but not for concept nor scheme
+            new_label.cw_delete()
+            cnx.commit()
+            with self.assertUnauthorized(cnx):
+                scheme.cw_delete()
+            with self.assertUnauthorized(cnx):
+                new_concept.cw_delete()
+
 
 if __name__ == '__main__':
     import unittest
     unittest.main()
diff --git a/test/unittest_schema.py b/test/unittest_schema.py
--- a/test/unittest_schema.py
+++ b/test/unittest_schema.py
@@ -268,154 +268,7 @@ class ConceptSchemeTC(CubicWebTC):
         structurals, optionals, mandatories = graph_relations(
             self.schema, structure)
         self.assertEqual(structurals - optionals, mandatories)
 
 
-class SecurityTC(CubicWebTC):
-    """Test case for permissions set in the schema"""
-    assertUnauthorized = testutils.assertUnauthorized
-
-    def test_authority_type(self):
-        with self.admin_access.repo_cnx() as cnx:
-            self.create_user(cnx, login=u'user', groups=('users',))
-            cnx.commit()
-        with self.new_access('user').client_cnx() as cnx:
-            with self.assertUnauthorized(cnx):
-                testutils.authority_with_naa(cnx, name=u'dream team')
-
-    def test_authority_relation(self):
-        with self.admin_access.repo_cnx() as cnx:
-            self.create_user(cnx, login=u'user', groups=('users',),
-                             authority=testutils.authority_with_naa(cnx))
-            agent = testutils.agent(cnx, u'user')
-            authority = testutils.authority_with_naa(cnx, name=u'dream team')
-            cnx.commit()
-            # even manager can't change an agent's authority
-            with self.assertUnauthorized(cnx):
-                agent.cw_set(authority=authority.eid)
-        with self.new_access('user').client_cnx() as cnx:
-            agent = cnx.entity_from_eid(agent.eid)
-            # user can't change its own authority
-            with self.assertUnauthorized(cnx):
-                agent.cw_set(authority=authority.eid)
-            # user can't create an agent in another authority than its own
-            with self.assertUnauthorized(cnx):
-                testutils.agent(cnx, u'new agent', authority=authority.eid)
-            # though he can add an agent to its own authority
-            testutils.agent(cnx, u'new agent')
-            cnx.commit()
-
-    def test_agent_user(self):
-        with self.admin_access.repo_cnx() as cnx:
-            user1 = self.create_user(cnx, login=u'user1', groups=('users',),
-                                     authority=testutils.authority_with_naa(cnx))
-            user2 = self.create_user(cnx, login=u'user2', groups=('users',),
-                                     authority=testutils.authority_with_naa(cnx))
-            agent = testutils.agent(cnx, u'user1', agent_user=user1)
-            cnx.commit()
-        with self.new_access('user1').client_cnx() as cnx:
-            agent = cnx.entity_from_eid(agent.eid)
-            # user can't change its own user
-            with self.assertUnauthorized(cnx):
-                agent.cw_set(agent_user=user2.eid)
-            with self.assertUnauthorized(cnx):
-                agent.cw_set(agent_user=None)
-            # user can't create an agent and specify its associated user
-            with self.assertUnauthorized(cnx):
-                testutils.agent(cnx, u'user2', agent_user=user2.eid)
-            agent2 = testutils.agent(cnx, u'user2')
-            cnx.commit()
-            with self.assertUnauthorized(cnx):
-                agent2.cw_set(agent_user=user2.eid)
-
-    def test_authority_record_base(self):
-        with self.admin_access.repo_cnx() as cnx:
-            self.create_user(cnx, login=u'toto', groups=('users', 'guests'),
-                             authority=testutils.authority_with_naa(cnx))
-            cnx.commit()
-        with self.new_access('toto').client_cnx() as cnx:
-            function = cnx.create_entity('AgentFunction', name=u'grouillot')
-            testutils.authority_record(cnx, u'bob', reverse_function_agent=function)
-            cnx.commit()
-        with self.admin_access.repo_cnx() as cnx:
-            cnx.execute('DELETE U in_group G WHERE U login "toto", G name "users"')
-            cnx.commit()
-        with self.new_access('toto').client_cnx() as cnx:
-            agent = cnx.find('AuthorityRecord', has_text=u'bob').one()
-            # guest user can't modify an authority record
-            with self.assertUnauthorized(cnx):
-                agent.cw_set(record_id=u'bobby')
-
-    def test_authority_record_wf_permissions(self):
-        with self.admin_access.repo_cnx() as cnx:
-            self.create_user(cnx, login=u'toto', groups=('users', 'guests'),
-                             authority=testutils.authority_with_naa(cnx))
-            cnx.commit()
-        with self.new_access('toto').client_cnx() as cnx:
-            function = cnx.create_entity('AgentFunction', name=u'grouillot')
-            record = testutils.authority_record(cnx, u'bob', reverse_function_agent=function)
-            cnx.commit()
-            iwf = record.cw_adapt_to('IWorkflowable')
-            iwf.fire_transition('publish')
-            cnx.commit()
-            # we can still modify a published record
-            record.reverse_name_entry_for[0].cw_set(parts=u'bobby')
-            function.cw_set(name=u'director')
-            cnx.commit()
-
-    def test_update_root_badgroup(self):
-        with self.admin_access.repo_cnx() as cnx:
-            self.create_user(cnx, login=u'toto', groups=('users', 'guests'))
-            cnx.commit()
-        with self.new_access('toto').client_cnx() as cnx:
-            testutils.setup_profile(cnx, title=u'pp')
-            cnx.commit()
-        with self.admin_access.repo_cnx() as cnx:
-            cnx.execute(
-                'DELETE U in_group G WHERE U login "toto", G name "users"')
-            cnx.commit()
-        with self.new_access('toto').client_cnx() as cnx:
-            profile = cnx.find('SEDAArchiveTransfer', title=u'pp').one()
-            with self.assertUnauthorized(cnx):
-                profile.cw_set(title=u'qq')
-
-    def test_sedaprofile_wf_permissions(self):
-        with self.admin_access.repo_cnx() as cnx:
-            profile = testutils.setup_profile(cnx, title=u'pp')
-            cnx.commit()
-            # Profile in draft, modifications are allowed.
-            profile.cw_set(title=u'ugh')
-            cnx.commit()
-            # Profile published, no modification allowed.
-            profile.cw_adapt_to('IWorkflowable').fire_transition('publish')
-            cnx.commit()
-
-    def test_conceptscheme_wf_permissions(self):
-        with self.admin_access.cnx() as cnx:
-            scheme = cnx.create_entity('ConceptScheme', ark_naa=testutils.naa(cnx))
-            cnx.commit()
-            # in draft, modifications are allowed.
-            concept = scheme.add_concept(u'blah')
-            cnx.commit()
-            # published, can't modify existing content.
-            scheme.cw_adapt_to('IWorkflowable').fire_transition('publish')
-            cnx.commit()
-            with self.assertUnauthorized(cnx):
-                scheme.cw_set(description=u'plop')
-            with self.assertUnauthorized(cnx):
-                concept.preferred_label[0].cw_set(label=u'plop')
-            # though addition of new concepts / labels is fine
-            new_concept = scheme.add_concept(u'plop')
-            cnx.commit()
-            new_label = cnx.create_entity('Label', label=u'arhg', label_of=concept)
-            cnx.commit()
-            # while deletion is fine for label but not for concept nor scheme
-            new_label.cw_delete()
-            cnx.commit()
-            with self.assertUnauthorized(cnx):
-                scheme.cw_delete()
-            with self.assertUnauthorized(cnx):
-                new_concept.cw_delete()
-
-
 if __name__ == '__main__':
     unittest.main()


More information about the saem-devel mailing list