[PATCH 2 of 2 seda] [schema] Remove managers group from update/delete permissions

Sylvain Thenault sylvain.thenault at logilab.fr
Thu Apr 27 17:43:13 CEST 2017


# HG changeset patch
# User Sylvain Thénault <sylvain.thenault at logilab.fr>
# Date 1493296090 -7200
#      Thu Apr 27 14:28:10 2017 +0200
# Node ID 8f1a4f7abbf6dcb2806017dc40365481dc22f8e3
# Parent  cdc858532db16faa96fbf042aadc0c49d57c5574
[schema] Remove managers group from update/delete permissions

of entity and relation types in the compound tree. This ensure that permissions
of the whole tree depends on permission of the root (SEDAArchiveTransfer or
SEDAArchiveUnit), with no special cases for users in the managers group.

Related to extranet #19216837

diff --git a/cubicweb_seda/schema/__init__.py b/cubicweb_seda/schema/__init__.py
--- a/cubicweb_seda/schema/__init__.py
+++ b/cubicweb_seda/schema/__init__.py
@@ -181,17 +181,16 @@ def post_build_callback(schema):
         eschema = schema[etype]
         # set permissions on entity types from the compound graph according to permission on the
         # container entity
         for action in ('update', 'delete'):
             eschema.set_action_permissions(
-                action, ('managers', ERQLExpression('U has_{action}_permission C, '
-                                                    'X container C'.format(action=action)))
+                action, (ERQLExpression('U has_{action}_permission C, '
+                                        'X container C'.format(action=action)),)
             )
     for action in ('update', 'delete'):
         schema['SEDAArchiveUnit'].set_action_permissions(
-            action, ('managers',
-                     ERQLExpression('U has_{action}_permission C, '
+            action, (ERQLExpression('U has_{action}_permission C, '
                                     'X container C'.format(action=action)),
                      ERQLExpression('NOT EXISTS(X container C), U in_group G, '
                                     'G name IN ("managers", "users")')))
     # set permissions on all relation defs related to the compound graph according to permission on
     # the container entity
@@ -209,8 +208,8 @@ def post_build_callback(schema):
         else:
             if target_etype == 'SEDAArchiveTransfer':
                 rrql_exprs.append('U has_update_permission {0}'.format(var))
             else:
                 rrql_exprs.append('U has_update_permission C, {0} container C'.format(var))
-        permissions = ['managers'] + [RRQLExpression(expr) for expr in rrql_exprs]
+        permissions = [RRQLExpression(expr) for expr in rrql_exprs]
         for action in ('add', 'delete'):
             rdef.set_action_permissions(action, permissions)
diff --git a/test/test_schema.py b/test/test_schema.py
--- a/test/test_schema.py
+++ b/test/test_schema.py
@@ -320,10 +320,36 @@ class SecurityTC(CubicWebTC):
                 transfer.archive_units[0].cw_delete()
             # deletion of the container
             with self.assertUnauthorized(cnx):
                 transfer.cw_delete()
 
+        with self.admin_access.cnx() as cnx:
+            transfer = cnx.entity_from_eid(transfer.eid)
+            # ensure every subobjects permissions depends on top-level
+            # permissions (don't even include managers group)
+            with self.temporary_permissions((self.schema['SEDAArchiveTransfer'],
+                                             {'update': (),
+                                              'delete': ()})):
+                # modification of a contained entity
+                comment = transfer.reverse_seda_comment[0]
+                with self.assertUnauthorized(cnx):
+                    comment.cw_set(comment=u'You got hacked')
+                with self.assertUnauthorized(cnx):
+                    comment.cw_delete()
+                with self.assertUnauthorized(cnx):
+                    cnx.create_entity('SEDAArchivalAgreement', seda_archival_agreement=transfer)
+                # modification of a relation from the container to a non contained entity
+                with self.assertUnauthorized(cnx):
+                    testutils.create_authority_record(cnx, name=u'Bob Archival inc.',
+                                                      reverse_seda_archival_agency=transfer)
+                # deletion of an archive unit
+                with self.assertUnauthorized(cnx):
+                    transfer.archive_units[0].cw_delete()
+                # deletion of the container
+                with self.assertUnauthorized(cnx):
+                    transfer.cw_delete()
+
     def test_archive_unit(self):
         with self.admin_access.cnx() as cnx:
             unit, unit_alt, unit_alt_seq = testutils.create_archive_unit(None, cnx=cnx)
             cnx.commit()
 


More information about the saem-devel mailing list