[PATCH 4 of 4 saem] [security] Update security of the authority record kind relation

Sylvain Thénault sylvain.thenault at logilab.fr
Fri Apr 14 10:37:50 CEST 2017



Le 14/04/2017 à 09:55, Denis Laxalde a écrit :
> Sylvain Thenault a écrit :
>> # HG changeset patch
>> # User Sylvain Thénault <sylvain.thenault at logilab.fr>
>> # Date 1492070281 -7200
>> #      Thu Apr 13 09:58:01 2017 +0200
>> # Node ID a3945adaf0b1d9b6bc0713413610b3c0eaebdceb
>> # Parent  19025cca31f03f035616ce1995cfbecb728d46c3
>> [security] Update security of the authority record kind relation
>>
>> (still named agent_kind for historical reason).
>>
>> In the eac cube, this relation can't be modified unless its value is
>> 'unknown'.
>> Here we want to allow modification provided that the record isn't
>> referenced by
>> authority_record relation which add constraint on the kind's value.
>>
>> To achieve this, update the relation's permission to depends on its
>> subject
>> entity's permission, then add a constraint to ensure consistency of
>> authority_record wrt kind's value.
>>
>> Related to #16385734
>>
>> diff --git a/cubicweb_saem_ref/migration/0.15.1_Any.py
>> b/cubicweb_saem_ref/migration/0.15.1_Any.py
>> --- a/cubicweb_saem_ref/migration/0.15.1_Any.py
>> +++ b/cubicweb_saem_ref/migration/0.15.1_Any.py
>> @@ -1,7 +1,7 @@
>>  for ertype in ('generated', 'used', 'associated_with',
>> 'place_address', 'new_version_of',
>> -               'authority_record',
>> +               'agent_kind', 'authority_record',
>>                 'OrganizationUnit', 'Agent',
>> 'ArkNameAssigningAuthority'):
>>      sync_schema_props_perms(ertype)
>>
>>
>>  sql("DELETE FROM container_relation WHERE EXISTS("
>> diff --git a/cubicweb_saem_ref/schema.py b/cubicweb_saem_ref/schema.py
>> --- a/cubicweb_saem_ref/schema.py
>> +++ b/cubicweb_saem_ref/schema.py
>> @@ -86,10 +86,26 @@ EmailAddress.remove_relation('alias')
>>
>>  # Customization of eac schema.
>>  make_workflowable(eac.AuthorityRecord)
>>  groups_permissions(eac.AuthorityRecord)
>>
>> +eac.agent_kind.__permissions__ = {
>> +    'read': ('managers', 'users', 'guests'),
>> +    'add': ('managers', RRQLExpression('U has_update_permission S')),
>> +    'delete': ('managers', RRQLExpression('U has_update_permission
>> S')),
>> +}
>> +eac.agent_kind.constraints = [
>> +    RQLConstraint('NOT EXISTS(Z authority_record S)'
>> +                  ' OR '
>> +                  'EXISTS(A authority_record S, A is Agent, '
>> +                  '       S agent_kind K, K name "person")'
>> +                  ' OR '
>> +                  'EXISTS(OU authority_record S, OU is IN
>> (Organization, OrganizationUnit), '
>> +                  '       S agent_kind K, K name "authority")',
>> +                  msg=_('This record is used by a relation
>> forbidding to change its type')),
>> +]
>
> K is O, isn't it?

indeed

>>
>>  # Customization of skos schema.
>>  make_workflowable(ConceptScheme)
>>  publication_permissions(ConceptScheme)
>>
>> diff --git a/test/test_security.py b/test/test_security.py
>> --- a/test/test_security.py
>> +++ b/test/test_security.py
>> @@ -45,10 +45,15 @@ class NonManagerUserTC(CubicWebTC):
>>              arecord = testutils.authority_record(cnx, name=u'a')
>>              cnx.commit()
>>              arecord.cw_set(record_id=u'123')
>>              cnx.commit()
>>
>> +            # can change kind (unless used in constrained relation,
>> but this is tested in
>> +            # unittest_schema)
>> +            arecord.cw_set(agent_kind=cnx.find('AgentKind',
>> name=u'authority').one())
>> +            cnx.commit()
>> +
>>      def test_create_update_sedaprofile(self):
>>          with self.new_access(self.login).cnx() as cnx:
>>              profile = testutils.setup_profile(cnx)
>>              cnx.commit()
>>              profile.cw_set(user_annotation=u'meh')
>> diff --git a/test/unittest_schema.py b/test/unittest_schema.py
>> --- a/test/unittest_schema.py
>> +++ b/test/unittest_schema.py
>> @@ -90,10 +90,40 @@ class SchemaConstraintsTC(CubicWebTC):
>>              self.assertEqual(
>>                  pou.unrelated('authority_record',
>> 'AuthorityRecord').one(),
>>                  cnx.find("AuthorityRecord", has_text=u"Direction de
>> la communication").one(),
>>              )
>>
>> +    def assertCantChangeRecordKind(self, arecord, kind):
>> +        cnx = arecord._cw
>> +        with self.assertValidationError(cnx) as cm:
>> +            arecord.cw_set(agent_kind=cnx.find('AgentKind',
>> name=kind).one())
>> +            cnx.commit()
>> +        self.assertEqual(cm.exception.errors,
>> +                         {'agent_kind-subject':
>> +                          'This record is used by a relation
>> forbidding to change its type'})
>
> Isn't cnx.rollback() needed?

nop, because it's handled by assertValidationError. I've rather removed
the commit :)


will send a V2 of remaining patches in the series, thx

-- 
Sylvain Thénault, LOGILAB, Paris (01.45.32.03.12) - Toulouse (05.62.17.16.42)
Formations Python, Debian, Méth. Agiles: http://www.logilab.fr/formations
Développement logiciel sur mesure:       http://www.logilab.fr/services
CubicWeb, the semantic web framework:    http://www.cubicweb.org



More information about the saem-devel mailing list