[PATCH 4 of 4 saem] [security] Update security of the authority record kind relation

Sylvain Thénault sylvain.thenault at logilab.fr
Fri Apr 14 10:45:43 CEST 2017



Le 14/04/2017 à 10:41, Denis Laxalde a écrit :
> Sylvain Thénault a écrit :
>>
>>
>> Le 14/04/2017 à 09:55, Denis Laxalde a écrit :
>>> Sylvain Thenault a écrit :
>>>> # HG changeset patch
>>>> # User Sylvain Thénault <sylvain.thenault at logilab.fr>
>>>> # Date 1492070281 -7200
>>>> #      Thu Apr 13 09:58:01 2017 +0200
>>>> # Node ID a3945adaf0b1d9b6bc0713413610b3c0eaebdceb
>>>> # Parent  19025cca31f03f035616ce1995cfbecb728d46c3
>>>> [security] Update security of the authority record kind relation
>>>>
>>>> (still named agent_kind for historical reason).
>>>>
>>>> In the eac cube, this relation can't be modified unless its value is
>>>> 'unknown'.
>>>> Here we want to allow modification provided that the record isn't
>>>> referenced by
>>>> authority_record relation which add constraint on the kind's value.
>>>>
>>>> To achieve this, update the relation's permission to depends on its
>>>> subject
>>>> entity's permission, then add a constraint to ensure consistency of
>>>> authority_record wrt kind's value.
>>>>
>>>> Related to #16385734
>>>>
>
>>>> diff --git a/test/unittest_schema.py b/test/unittest_schema.py
>>>> --- a/test/unittest_schema.py
>>>> +++ b/test/unittest_schema.py
>>>> @@ -90,10 +90,40 @@ class SchemaConstraintsTC(CubicWebTC):
>>>>              self.assertEqual(
>>>>                  pou.unrelated('authority_record',
>>>> 'AuthorityRecord').one(),
>>>>                  cnx.find("AuthorityRecord", has_text=u"Direction de
>>>> la communication").one(),
>>>>              )
>>>>
>>>> +    def assertCantChangeRecordKind(self, arecord, kind):
>>>> +        cnx = arecord._cw
>>>> +        with self.assertValidationError(cnx) as cm:
>>>> +            arecord.cw_set(agent_kind=cnx.find('AgentKind',
>>>> name=kind).one())
>>>> +            cnx.commit()
>>>> +        self.assertEqual(cm.exception.errors,
>>>> +                         {'agent_kind-subject':
>>>> +                          'This record is used by a relation
>>>> forbidding to change its type'})
>>>
>>> Isn't cnx.rollback() needed?
>>
>> nop, because it's handled by assertValidationError. I've rather removed
>> the commit :)
>
> It's getting quite hard to follow. How about removing the
> assertValidationError layer and make things explicit?
>
I personnaly like this assertUnauthorized / assertValidationError
facility and feel tests are easier to read/write using this, so I would
rather make them standard than roll them out.

-- 
Sylvain Thénault, LOGILAB, Paris (01.45.32.03.12) - Toulouse (05.62.17.16.42)
Formations Python, Debian, Méth. Agiles: http://www.logilab.fr/formations
Développement logiciel sur mesure:       http://www.logilab.fr/services
CubicWeb, the semantic web framework:    http://www.cubicweb.org



More information about the saem-devel mailing list