[saem-devel] [PATCH 2 of 2 sherpa] [schema] AuthorityRecord: allow read/update/delete only to owners

Sylvain Thénault sylvain.thenault at logilab.fr
Wed Mar 8 11:41:22 CET 2017


sent a V2 of this patch


Le 22/02/2017 à 18:07, Philippe Pepiot a écrit :
> # HG changeset patch
> # User Philippe Pepiot <philippe.pepiot at logilab.fr>
> # Date 1487782953 -3600
> #      Wed Feb 22 18:02:33 2017 +0100
> # Node ID 6964dcfaa718702d986f9b607c1fd651139d037e
> # Parent  c7c57726ad9ba66c182b6f2c8f147dff3de3375f
> # Available At https://hg.logilab.org/review/cubes/sherpa
> #              hg pull https://hg.logilab.org/review/cubes/sherpa -r 6964dcfaa718
> # Tested at https://jenkins.logilab.org/job/cubicweb-sherpa/13/
> [schema] AuthorityRecord: allow read/update/delete only to owners
>
> Related to extranet #16684441
>
> diff --git a/dev-requirements.txt b/dev-requirements.txt
> --- a/dev-requirements.txt
> +++ b/dev-requirements.txt
> @@ -1,1 +1,2 @@
>  pytest
> +http://hg.logilab.org/master/cubes/eac/archive/tip.tar.bz2
> diff --git a/schema.py b/schema.py
> new file mode 100644
> --- /dev/null
> +++ b/schema.py
> @@ -0,0 +1,26 @@
> +# copyright 2017 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
> +# contact http://www.logilab.fr -- mailto:contact at logilab.fr
> +#
> +# This program is free software: you can redistribute it and/or modify it under
> +# the terms of the GNU Lesser General Public License as published by the Free
> +# Software Foundation, either version 2.1 of the License, or (at your option)
> +# any later version.
> +#
> +# This program is distributed in the hope that it will be useful, but WITHOUT
> +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
> +# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
> +# details.
> +#
> +# You should have received a copy of the GNU Lesser General Public License along
> +# with this program. If not, see <http://www.gnu.org/licenses/>.
> +
> +from cubicweb.schema import ERQLExpression
> +
> +from cubicweb_eac.schema import AuthorityRecord
> +
> +AuthorityRecord.__permissions__ = {
> +    'read': ('managers', ERQLExpression('X owned_by U')),
> +    'add': ('managers', 'users'),
> +    'update': ('managers', ERQLExpression('X owned_by U')),
> +    'delete': ('managers', ERQLExpression('X owned_by U')),
> +}
> diff --git a/test/test_security.py b/test/test_security.py
> new file mode 100644
> --- /dev/null
> +++ b/test/test_security.py
> @@ -0,0 +1,58 @@
> +# copyright 2017 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
> +# contact http://www.logilab.fr -- mailto:contact at logilab.fr
> +#
> +# This program is free software: you can redistribute it and/or modify it under
> +# the terms of the GNU Lesser General Public License as published by the Free
> +# Software Foundation, either version 2.1 of the License, or (at your option)
> +# any later version.
> +#
> +# This program is distributed in the hope that it will be useful, but WITHOUT
> +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
> +# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
> +# details.
> +#
> +# You should have received a copy of the GNU Lesser General Public License
> +# along with this program. If not, see <http://www.gnu.org/licenses/>.
> +"""cubicweb-sherpa security tests"""
> +
> +from cubicweb.devtools.testlib import CubicWebTC
> +
> +
> +class SecurityTC(CubicWebTC):
> +
> +    def setUp(self):
> +        super(SecurityTC, self).setUp()
> +        with self.admin_access.cnx() as cnx:
> +            self.create_user(cnx, 'bob')
> +            self.create_user(cnx, 'alice')
> +
> +    def test_add_read_update_delete_record(self):
> +        with self.new_access('bob').cnx() as cnx:
> +            agent_kind = cnx.find('AgentKind', name=u'person').one()
> +            record = cnx.create_entity('AuthorityRecord', agent_kind=agent_kind)
> +            cnx.create_entity('NameEntry', parts=u'bob notice', form_variant=u'authorized',
> +                              name_entry_for=record)
> +            cnx.commit()
> +
> +        # alice can't read bob record
> +        with self.new_access('alice').cnx() as cnx:
> +            self.assertEqual(len(cnx.find('AuthorityRecord')), 0)
> +
> +        # unless explicitly authorized using owned_by relation
> +        with self.new_access('bob').cnx() as cnx:
> +            record = cnx.entity_from_eid(record.eid)
> +            record.cw_set(owned_by=cnx.find('CWUser', login='alice').one())
> +            cnx.commit()
> +
> +        # alice can not read and delete the record
> +        with self.new_access('alice').cnx() as cnx:
> +            record = cnx.find('AuthorityRecord').one()
> +            self.assertEqual(record.reverse_name_entry_for[0].parts,
> +                             'bob notice')
> +            record.cw_delete()
> +            cnx.commit()
> +
> +
> +if __name__ == '__main__':
> +    import unittest
> +    unittest.main()
> _______________________________________________
> saem-devel mailing list
> saem-devel at lists.cubicweb.org
> http://lists.cubicweb.org/mailman/listinfo/saem-devel

-- 
Sylvain Thénault, LOGILAB, Paris (01.45.32.03.12) - Toulouse (05.62.17.16.42)
Formations Python, Debian, Méth. Agiles: http://www.logilab.fr/formations
Développement logiciel sur mesure:       http://www.logilab.fr/services
CubicWeb, the semantic web framework:    http://www.cubicweb.org



More information about the saem-devel mailing list