[PATCH 3 of 4 saem] [security] Test and fix permission of the authority_record relation

Sylvain Thenault sylvain.thenault at logilab.fr
Thu Apr 13 11:00:01 CEST 2017


# HG changeset patch
# User Sylvain Thénault <sylvain.thenault at logilab.fr>
# Date 1492070068 -7200
#      Thu Apr 13 09:54:28 2017 +0200
# Node ID 19025cca31f03f035616ce1995cfbecb728d46c3
# Parent  0d812bee0c0db0dad0d1433db1042d63a2e5d52b
[security] Test and fix permission of the authority_record relation


which should depends on the permission to edit its subject (Organization,
OrganizationUnit or Agent).

diff --git a/cubicweb_saem_ref/migration/0.15.1_Any.py b/cubicweb_saem_ref/migration/0.15.1_Any.py
--- a/cubicweb_saem_ref/migration/0.15.1_Any.py
+++ b/cubicweb_saem_ref/migration/0.15.1_Any.py
@@ -1,6 +1,7 @@
 for ertype in ('generated', 'used', 'associated_with', 'place_address', 'new_version_of',
+               'authority_record',
                'OrganizationUnit', 'Agent', 'ArkNameAssigningAuthority'):
     sync_schema_props_perms(ertype)
 
 
 sql("DELETE FROM container_relation WHERE EXISTS("
diff --git a/cubicweb_saem_ref/schema.py b/cubicweb_saem_ref/schema.py
--- a/cubicweb_saem_ref/schema.py
+++ b/cubicweb_saem_ref/schema.py
@@ -165,11 +165,11 @@ class agent_user(RelationDefinition):
 
 
 class _authority_record(RelationDefinition):
     __permissions__ = {
         'read': ('managers', 'users', 'guests'),
-        'add': ('managers',),
+        'add': ('managers', RRQLExpression('U has_update_permission S')),
         'delete': ('managers',),
     }
     name = 'authority_record'
     object = 'AuthorityRecord'
     cardinality = '??'
diff --git a/test/test_security.py b/test/test_security.py
--- a/test/test_security.py
+++ b/test/test_security.py
@@ -95,19 +95,25 @@ class NonManagerUserTC(CubicWebTC):
             cnx.commit()
             agent.cw_set(name=u'bobby')
             cnx.commit()
             agent.cw_delete()
             cnx.commit()
+            arecord = testutils.authority_record(cnx, name=u'bobby', kind=u'person')
+            agent.cw_set(authority_record=arecord)
+            cnx.commit()
 
             with self.assertUnauthorized(cnx):
                 testutils.agent(cnx, u'other bob', authority=other_authority_eid)
 
             other_agent = cnx.entity_from_eid(other_agent_eid)
             with self.assertUnauthorized(cnx):
                 other_agent.cw_set(name=u'bobby')
             with self.assertUnauthorized(cnx):
                 other_agent.cw_delete()
+            with self.assertUnauthorized(cnx):
+                other_arecord = testutils.authority_record(cnx, name=u'other bob', kind=u'person')
+                other_agent.cw_set(authority_record=other_arecord)
 
     def test_create_update_organizationunit_in_own_organization(self):
         with self.admin_access.cnx() as cnx:
             other_authority = testutils.authority_with_naa(cnx, name=u'other authority')
             other_unit = testutils.organization_unit(
@@ -122,20 +128,27 @@ class NonManagerUserTC(CubicWebTC):
             cnx.commit()
             unit.cw_set(name=u'archi')
             cnx.commit()
             unit.cw_delete()
             cnx.commit()
+            arecord = testutils.authority_record(cnx, name=u'arch', kind=u'authority')
+            unit.cw_set(authority_record=arecord)
+            cnx.commit()
 
             with self.assertUnauthorized(cnx):
                 testutils.organization_unit(
                     cnx, u'other arch', archival_roles=[u'archival'], authority=other_authority_eid)
 
             other_unit = cnx.entity_from_eid(other_unit_eid)
             with self.assertUnauthorized(cnx):
                 other_unit.cw_set(name=u'archi')
             with self.assertUnauthorized(cnx):
                 other_unit.cw_delete()
+            with self.assertUnauthorized(cnx):
+                other_arecord = testutils.authority_record(cnx, name=u'other arch',
+                                                           kind=u'authority')
+                other_unit.cw_set(authority_record=other_arecord)
 
     def test_cannot_modify_activities(self):
         with self.new_access(self.login).cnx() as cnx:
             arecord = testutils.authority_record(cnx, name=u'a')
             cnx.commit()
@@ -212,10 +225,13 @@ class ManagerUserTC(CubicWebTC):
         with self.admin_access.cnx() as cnx:
             org = testutils.authority_with_naa(cnx)
             cnx.commit()
             org.cw_set(name=u'uh')
             cnx.commit()
+            arecord = testutils.authority_record(cnx, name=u'a', kind=u'authority')
+            org.cw_set(authority_record=arecord)
+            cnx.commit()
 
     def test_create_update_naa(self):
         with self.admin_access.cnx() as cnx:
             test_naa = testutils.naa(cnx)
             cnx.commit()


More information about the saem-devel mailing list