[PATCH 1 of 2 saem] [security] Test and fix permissions for ARK NAA

Sylvain Thenault sylvain.thenault at logilab.fr
Fri Apr 14 10:43:55 CEST 2017


# HG changeset patch
# User Sylvain Thénault <sylvain.thenault at logilab.fr>
# Date 1492069848 -7200
#      Thu Apr 13 09:50:48 2017 +0200
# Node ID 85e085e85f4a703e597863dbf45a042970050c37
# Parent  dccf96319df2d2b68734615bf61a4995fd2decd7
# Available At http://hg.logilab.org/review/cubes/saem_ref
#              hg pull http://hg.logilab.org/review/cubes/saem_ref -r 85e085e85f4a
[security] Test and fix permissions for ARK NAA

Should be only editable by managers.

In test, we now have to protect default NAA creation by the security context
manager to deactivate write security, since it be called using an non-admin
connection because of the lazy organization/naa creation mecanism.

diff --git a/cubicweb_saem_ref/migration/0.15.1_Any.py b/cubicweb_saem_ref/migration/0.15.1_Any.py
--- a/cubicweb_saem_ref/migration/0.15.1_Any.py
+++ b/cubicweb_saem_ref/migration/0.15.1_Any.py
@@ -1,8 +1,8 @@
 for ertype in ('generated', 'used', 'associated_with', 'place_address', 'new_version_of',
                'authority_record',
-               'OrganizationUnit', 'Agent'):
+               'OrganizationUnit', 'Agent', 'ArkNameAssigningAuthority'):
     sync_schema_props_perms(ertype)
 
 
 sql("DELETE FROM container_relation WHERE EXISTS("
     "SELECT FROM entities WHERE eid_to=eid AND "
diff --git a/cubicweb_saem_ref/schema.py b/cubicweb_saem_ref/schema.py
--- a/cubicweb_saem_ref/schema.py
+++ b/cubicweb_saem_ref/schema.py
@@ -355,10 +355,16 @@ class ark(RelationDefinition):
     cardinality = '11'
 
 
 class ArkNameAssigningAuthority(EntityType):
     """Name Assigning Authority (NAA) for ARK generation."""
+    __permissions__ = {
+        'read': ('managers', 'users', 'guests'),
+        'add': ('managers', ),
+        'update': ('managers', ),
+        'delete': ('managers', ),
+    }
     who = String(required=True, unique=True,
                  description=_('official organization name'))
     what = Int(required=True, unique=True,
                description=_('Name Assigning Authority Number (NAAN)'))
 
diff --git a/test/test_security.py b/test/test_security.py
--- a/test/test_security.py
+++ b/test/test_security.py
@@ -193,10 +193,20 @@ class NonManagerUserTC(CubicWebTC):
                 org.cw_set(name=u'uh')
             with self.assertUnauthorized(cnx):
                 arecord = testutils.authority_record(cnx, name=u'a', kind=u'authority')
                 org.cw_set(authority_record=arecord)
 
+    def test_cannot_create_update_naa(self):
+        with self.new_access(self.login).cnx() as cnx:
+            with self.assertUnauthorized(cnx):
+                cnx.create_entity('ArkNameAssigningAuthority',
+                                  who=u'123', what=u'443')
+
+            test_naa = testutils.naa(cnx)
+            with self.assertUnauthorized(cnx):
+                test_naa.cw_set(who=u'1')
+
     def test_can_create_authorityrecord_activities(self):
         with self.new_access(self.login).cnx() as cnx:
             arecord = testutils.authority_record(cnx, name=u'a')
             cnx.commit()
             # EAC import expect user may create activity
diff --git a/test/testutils.py b/test/testutils.py
--- a/test/testutils.py
+++ b/test/testutils.py
@@ -98,11 +98,12 @@ def seda_transfer(cnx, **kwargs):
 
 def naa(cnx):
     try:
         return cnx.find('ArkNameAssigningAuthority').one()
     except NoResultError:
-        return cnx.create_entity('ArkNameAssigningAuthority', who=u'TEST', what=0)
+        with cnx.security_enabled(False, False):
+            return cnx.create_entity('ArkNameAssigningAuthority', who=u'TEST', what=0)
 
 
 def authority_with_naa(cnx, name=u'Default authority'):
     try:
         authority = cnx.find('Organization', name=name).one()


More information about the saem-devel mailing list