[PATCH 1 of 1 seda] [schema] Fix security on direct relation to SEDAArchiveUnit

Sylvain Thenault sylvain.thenault at logilab.fr
Thu Mar 9 10:10:47 CET 2017


# HG changeset patch
# User Sylvain Thénault <sylvain.thenault at logilab.fr>
# Date 1489009219 -3600
#      Wed Mar 08 22:40:19 2017 +0100
# Node ID 7526210d26c9a742eefc49426d3e6cdad74e4306
# Parent  5c94d0712e115079025f92c390ff8b127ae6415c
[schema] Fix security on direct relation to SEDAArchiveUnit

to consider that its container may be None (in case of a component archive
unit).

diff --git a/cubicweb_seda/migration/0.9.0_Any.py b/cubicweb_seda/migration/0.9.0_Any.py
new file mode 100644
--- /dev/null
+++ b/cubicweb_seda/migration/0.9.0_Any.py
@@ -0,0 +1,9 @@
+from cubicweb_seda import iter_all_rdefs
+
+for rdef, role in iter_all_rdefs(schema, 'SEDAArchiveTransfer'):
+    if role == 'subject':
+        target_etype = rdef.subject
+    else:
+        target_etype = rdef.object
+    if target_etype == 'SEDAArchiveUnit':
+        sync_schema_props_perms((rdef.subject, rdef.rtype, rdef.object))
diff --git a/cubicweb_seda/schema/__init__.py b/cubicweb_seda/schema/__init__.py
--- a/cubicweb_seda/schema/__init__.py
+++ b/cubicweb_seda/schema/__init__.py
@@ -174,11 +174,19 @@ def post_build_callback(schema):
     for rdef, role in iter_all_rdefs(schema, 'SEDAArchiveTransfer'):
         if role == 'subject':
             target_etype, var = rdef.subject, 'S'
         else:
             target_etype, var = rdef.object, 'O'
-        if target_etype == 'SEDAArchiveTransfer':
-            expr = 'U has_update_permission {0}'.format(var)
+        rrql_exprs = []
+        if target_etype == 'SEDAArchiveUnit':
+            rrql_exprs.append('U has_update_permission {0}, NOT EXISTS({0} container C)'
+                              .format(var, var))
+            rrql_exprs.append('U has_update_permission C, {0} container C'.format(var))
+
         else:
-            expr = 'U has_update_permission C, {0} container C'.format(var)
+            if target_etype == 'SEDAArchiveTransfer':
+                rrql_exprs.append('U has_update_permission {0}'.format(var))
+            else:
+                rrql_exprs.append('U has_update_permission C, {0} container C'.format(var))
+        permissions = ['managers'] + [RRQLExpression(expr) for expr in rrql_exprs]
         for action in ('add', 'delete'):
-            rdef.set_action_permissions(action, ('managers', RRQLExpression(expr)))
+            rdef.set_action_permissions(action, permissions)
diff --git a/test/test_schema.py b/test/test_schema.py
--- a/test/test_schema.py
+++ b/test/test_schema.py
@@ -324,9 +324,16 @@ class SecurityTC(CubicWebTC):
         with self.admin_access.repo_cnx() as cnx:
             unit = cnx.entity_from_eid(unit.eid)
             unit.cw_delete()
             cnx.commit()
 
+    def test_users_can_created_unit(self):
+        with self.admin_access.cnx() as cnx:
+            self.create_user(cnx, 'bob')
+        with self.new_access('bob').cnx() as cnx:
+            unit, unit_alt, unit_alt_seq = testutils.create_archive_unit(None, cnx=cnx)
+            cnx.commit()
+
 
 if __name__ == '__main__':
     import unittest
     unittest.main()


More information about the saem-devel mailing list