[saem-devel] [PATCH 2 of 2 sherpa] [schema] AuthorityRecord: allow read/update/delete only to owners

Philippe Pepiot philippe.pepiot at logilab.fr
Wed Feb 22 18:07:36 CET 2017


# HG changeset patch
# User Philippe Pepiot <philippe.pepiot at logilab.fr>
# Date 1487782953 -3600
#      Wed Feb 22 18:02:33 2017 +0100
# Node ID 6964dcfaa718702d986f9b607c1fd651139d037e
# Parent  c7c57726ad9ba66c182b6f2c8f147dff3de3375f
# Available At https://hg.logilab.org/review/cubes/sherpa
#              hg pull https://hg.logilab.org/review/cubes/sherpa -r 6964dcfaa718
# Tested at https://jenkins.logilab.org/job/cubicweb-sherpa/13/
[schema] AuthorityRecord: allow read/update/delete only to owners

Related to extranet #16684441

diff --git a/dev-requirements.txt b/dev-requirements.txt
--- a/dev-requirements.txt
+++ b/dev-requirements.txt
@@ -1,1 +1,2 @@
 pytest
+http://hg.logilab.org/master/cubes/eac/archive/tip.tar.bz2
diff --git a/schema.py b/schema.py
new file mode 100644
--- /dev/null
+++ b/schema.py
@@ -0,0 +1,26 @@
+# copyright 2017 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
+# contact http://www.logilab.fr -- mailto:contact at logilab.fr
+#
+# This program is free software: you can redistribute it and/or modify it under
+# the terms of the GNU Lesser General Public License as published by the Free
+# Software Foundation, either version 2.1 of the License, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Lesser General Public License along
+# with this program. If not, see <http://www.gnu.org/licenses/>.
+
+from cubicweb.schema import ERQLExpression
+
+from cubicweb_eac.schema import AuthorityRecord
+
+AuthorityRecord.__permissions__ = {
+    'read': ('managers', ERQLExpression('X owned_by U')),
+    'add': ('managers', 'users'),
+    'update': ('managers', ERQLExpression('X owned_by U')),
+    'delete': ('managers', ERQLExpression('X owned_by U')),
+}
diff --git a/test/test_security.py b/test/test_security.py
new file mode 100644
--- /dev/null
+++ b/test/test_security.py
@@ -0,0 +1,58 @@
+# copyright 2017 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
+# contact http://www.logilab.fr -- mailto:contact at logilab.fr
+#
+# This program is free software: you can redistribute it and/or modify it under
+# the terms of the GNU Lesser General Public License as published by the Free
+# Software Foundation, either version 2.1 of the License, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+"""cubicweb-sherpa security tests"""
+
+from cubicweb.devtools.testlib import CubicWebTC
+
+
+class SecurityTC(CubicWebTC):
+
+    def setUp(self):
+        super(SecurityTC, self).setUp()
+        with self.admin_access.cnx() as cnx:
+            self.create_user(cnx, 'bob')
+            self.create_user(cnx, 'alice')
+
+    def test_add_read_update_delete_record(self):
+        with self.new_access('bob').cnx() as cnx:
+            agent_kind = cnx.find('AgentKind', name=u'person').one()
+            record = cnx.create_entity('AuthorityRecord', agent_kind=agent_kind)
+            cnx.create_entity('NameEntry', parts=u'bob notice', form_variant=u'authorized',
+                              name_entry_for=record)
+            cnx.commit()
+
+        # alice can't read bob record
+        with self.new_access('alice').cnx() as cnx:
+            self.assertEqual(len(cnx.find('AuthorityRecord')), 0)
+
+        # unless explicitly authorized using owned_by relation
+        with self.new_access('bob').cnx() as cnx:
+            record = cnx.entity_from_eid(record.eid)
+            record.cw_set(owned_by=cnx.find('CWUser', login='alice').one())
+            cnx.commit()
+
+        # alice can not read and delete the record
+        with self.new_access('alice').cnx() as cnx:
+            record = cnx.find('AuthorityRecord').one()
+            self.assertEqual(record.reverse_name_entry_for[0].parts,
+                             'bob notice')
+            record.cw_delete()
+            cnx.commit()
+
+
+if __name__ == '__main__':
+    import unittest
+    unittest.main()



More information about the saem-devel mailing list