[PATCH 4 of 4 saem_ref] [schema] Fix authority record activities related permissions

Sylvain Thenault sylvain.thenault at logilab.fr
Fri Mar 24 10:50:58 CET 2017


# HG changeset patch
# User Sylvain Thénault <sylvain.thenault at logilab.fr>
# Date 1490271854 -3600
#      Thu Mar 23 13:24:14 2017 +0100
# Node ID 6885a7e1b54270ca81a16fbbb7f8a8f3e73b9965
# Parent  a42d3be56b5f03e4d73a0f4c475b9e46720b6519
[schema] Fix authority record activities related permissions

It was noticed on the demo that users could not import eac records anymore. After
deeper inspection, it appeared that a bug in the seda cube was setting
unexpected permissions on rdefs from authority record to activity.

This bug was also responsible for the security test passing. We now have to
set expected permissions on those relations.

As a functional test, attempt to import EAC file as a standard user.

diff --git a/cubicweb_saem_ref/schema.py b/cubicweb_saem_ref/schema.py
--- a/cubicweb_saem_ref/schema.py
+++ b/cubicweb_saem_ref/schema.py
@@ -317,10 +317,16 @@ prov.Activity.__permissions__ = {
     'add': ('managers', 'users'),
     'update': (),
     'delete': (),
 }
 
+eac.used.__permissions__ = eac.generated.__permissions__ = {
+    'read': ('managers', 'users', 'guests'),
+    'add': (RRQLExpression('U has_update_permission O'),),
+    'delete': (),
+}
+
 
 # ARK ##########################################################################
 
 class ark(RelationDefinition):
     __permissions__ = RO_ATTR_PERMS
diff --git a/dev-requirements.txt b/dev-requirements.txt
--- a/dev-requirements.txt
+++ b/dev-requirements.txt
@@ -1,3 +1,4 @@
 mock
 pytest
 webtest
+http://hg.logilab.org/review/cubes/seda/archive/d3dee90b9183.tar.bz2#egg=cubicweb-seda
diff --git a/test/test_security.py b/test/test_security.py
--- a/test/test_security.py
+++ b/test/test_security.py
@@ -110,10 +110,18 @@ class NonManagerUserTC(CubicWebTC):
                     cnx.create_entity('Activity', used=entity)
 
             with self.assertUnauthorized(cnx):
                 cnx.create_entity('Activity', associated_with=cnx.user)
 
+    def test_can_create_authorityrecord_activities(self):
+        with self.new_access(self.login).cnx() as cnx:
+            arecord = testutils.authority_record(cnx, name=u'a')
+            cnx.commit()
+            # EAC import expect user may create activity
+            cnx.create_entity('Activity', generated=arecord)
+            cnx.commit()
+
 
 class ManagerUserTC(CubicWebTC):
     """Tests checking that a user in "managers" group only can do things.
 
     Most of the times, we do not call any assertion method and only rely on no
diff --git a/test/unittest_dataimport.py b/test/unittest_dataimport.py
--- a/test/unittest_dataimport.py
+++ b/test/unittest_dataimport.py
@@ -26,16 +26,17 @@ import testutils
 
 class EACDataImportTC(CubicWebTC):
 
     def setup_database(self):
         with self.admin_access.repo_cnx() as cnx:
-            cnx.user.cw_set(authority=testutils.authority_with_naa(cnx))
+            self.create_user(cnx, u'bob', ('users', ),
+                             authority=testutils.authority_with_naa(cnx))
             cnx.commit()
 
     def test_imported_activities(self):
         fpath = self.datapath('EAC', 'FRAD033_EAC_dataimport.xml')
-        with self.admin_access.repo_cnx() as cnx:
+        with self.new_access(u'bob').cnx() as cnx:
             import_log = SimpleImportLog(basename(fpath))
             cnx.call_service(
                 'eac.import', stream=fpath, import_log=import_log,
                 raise_on_error=True)
             rset = cnx.find('AuthorityRecord', isni=u'22330001300016')


More information about the saem-devel mailing list