[PATCH 3 of 4 saem_ref] [schema] Set more restrictive permissions on activities relations

Sylvain Thenault sylvain.thenault at logilab.fr
Fri Mar 24 10:50:57 CET 2017


# HG changeset patch
# User Sylvain Thénault <sylvain.thenault at logilab.fr>
# Date 1490267792 -3600
#      Thu Mar 23 12:16:32 2017 +0100
# Node ID a42d3be56b5f03e4d73a0f4c475b9e46720b6519
# Parent  22ccebed02ef623eb41d6ef7ca75386aa23c8f57
[schema] Set more restrictive permissions on activities relations

Actually AuthorityRecord are not impacted by the rdefs'permissions, so we should
set permission preventing edition through the UI.

diff --git a/cubicweb_saem_ref/schema.py b/cubicweb_saem_ref/schema.py
--- a/cubicweb_saem_ref/schema.py
+++ b/cubicweb_saem_ref/schema.py
@@ -283,31 +283,31 @@ class related_concept_scheme(RelationDef
 # change eac import to by-pass security for activities?
 
 class generated(RelationDefinition):
     __permissions__ = {
         'read': ('managers', 'users', 'guests'),
-        'add': ('managers', 'users'),
+        'add': (),
         'delete': (),
     }
     subject = 'Activity'
     object = ('Concept', 'ConceptScheme', 'SEDAArchiveTransfer')
 
 
 class used(RelationDefinition):
     __permissions__ = {
         'read': ('managers', 'users', 'guests'),
-        'add': ('managers', 'users'),
+        'add': (),
         'delete': (),
     }
     subject = 'Activity'
     object = ('Concept', 'ConceptScheme', 'SEDAArchiveTransfer')
 
 
 class associated_with(RelationDefinition):
     __permissions__ = {
         'read': ('managers', 'users', 'guests'),
-        'add': ('managers', 'users'),
+        'add': (),
         'delete': (),
     }
     subject = 'Activity'
     object = 'CWUser'
 
diff --git a/test/test_security.py b/test/test_security.py
--- a/test/test_security.py
+++ b/test/test_security.py
@@ -94,10 +94,26 @@ class NonManagerUserTC(CubicWebTC):
                 activity.cw_set(generated=None)
 
             with self.assertUnauthorized(cnx):
                 activity.cw_delete()
 
+    def test_cannot_create_activities(self):
+        with self.new_access(self.login).cnx() as cnx:
+            scheme = testutils.setup_scheme(cnx, u'my scheme')
+            concept = scheme.add_concept(u'lab3')
+            profile = testutils.setup_profile(cnx)
+            cnx.commit()
+
+            for entity in (scheme, concept, profile):
+                with self.assertUnauthorized(cnx):
+                    cnx.create_entity('Activity', generated=entity)
+                with self.assertUnauthorized(cnx):
+                    cnx.create_entity('Activity', used=entity)
+
+            with self.assertUnauthorized(cnx):
+                cnx.create_entity('Activity', associated_with=cnx.user)
+
 
 class ManagerUserTC(CubicWebTC):
     """Tests checking that a user in "managers" group only can do things.
 
     Most of the times, we do not call any assertion method and only rely on no


More information about the saem-devel mailing list