[PATCH 1 of 4 saem] [security] Test and fix permissions for ARK NAA

Sylvain Thenault sylvain.thenault at logilab.fr
Thu Apr 13 10:59:59 CEST 2017


# HG changeset patch
# User Sylvain Thénault <sylvain.thenault at logilab.fr>
# Date 1492069848 -7200
#      Thu Apr 13 09:50:48 2017 +0200
# Node ID 5c0cbe8138b54b1a2eb599c0b52def7b425049e0
# Parent  55db28377169afbfb6155eea138dcab1a1bf4468
[security] Test and fix permissions for ARK NAA

Should be only editable by managers

diff --git a/cubicweb_saem_ref/migration/0.15.1_Any.py b/cubicweb_saem_ref/migration/0.15.1_Any.py
--- a/cubicweb_saem_ref/migration/0.15.1_Any.py
+++ b/cubicweb_saem_ref/migration/0.15.1_Any.py
@@ -1,7 +1,7 @@
 for ertype in ('generated', 'used', 'associated_with', 'place_address', 'new_version_of',
-               'OrganizationUnit', 'Agent'):
+               'OrganizationUnit', 'Agent', 'ArkNameAssigningAuthority'):
     sync_schema_props_perms(ertype)
 
 
 sql("DELETE FROM container_relation WHERE EXISTS("
     "SELECT FROM entities WHERE eid_to=eid AND "
diff --git a/cubicweb_saem_ref/schema.py b/cubicweb_saem_ref/schema.py
--- a/cubicweb_saem_ref/schema.py
+++ b/cubicweb_saem_ref/schema.py
@@ -355,10 +355,16 @@ class ark(RelationDefinition):
     cardinality = '11'
 
 
 class ArkNameAssigningAuthority(EntityType):
     """Name Assigning Authority (NAA) for ARK generation."""
+    __permissions__ = {
+        'read': ('managers', 'users', 'guests'),
+        'add': ('managers', ),
+        'update': ('managers', ),
+        'delete': ('managers', ),
+    }
     who = String(required=True, unique=True,
                  description=_('official organization name'))
     what = Int(required=True, unique=True,
                description=_('Name Assigning Authority Number (NAAN)'))
 
diff --git a/test/test_security.py b/test/test_security.py
--- a/test/test_security.py
+++ b/test/test_security.py
@@ -168,10 +168,20 @@ class NonManagerUserTC(CubicWebTC):
                     cnx.create_entity('Activity', used=entity)
 
             with self.assertUnauthorized(cnx):
                 cnx.create_entity('Activity', associated_with=cnx.user)
 
+    def test_cannot_create_update_naa(self):
+        with self.new_access(self.login).cnx() as cnx:
+            with self.assertUnauthorized(cnx):
+                cnx.create_entity('ArkNameAssigningAuthority',
+                                  who=u'123', what=u'443')
+
+            test_naa = testutils.naa(cnx)
+            with self.assertUnauthorized(cnx):
+                test_naa.cw_set(who=u'1')
+
     def test_can_create_authorityrecord_activities(self):
         with self.new_access(self.login).cnx() as cnx:
             arecord = testutils.authority_record(cnx, name=u'a')
             cnx.commit()
             # EAC import expect user may create activity
diff --git a/test/testutils.py b/test/testutils.py
--- a/test/testutils.py
+++ b/test/testutils.py
@@ -98,11 +98,12 @@ def seda_transfer(cnx, **kwargs):
 
 def naa(cnx):
     try:
         return cnx.find('ArkNameAssigningAuthority').one()
     except NoResultError:
-        return cnx.create_entity('ArkNameAssigningAuthority', who=u'TEST', what=0)
+        with cnx.security_enabled(False, False):
+            return cnx.create_entity('ArkNameAssigningAuthority', who=u'TEST', what=0)
 
 
 def authority_with_naa(cnx, name=u'Default authority'):
     try:
         authority = cnx.find('Organization', name=name).one()


More information about the saem-devel mailing list