[PATCH 3 of 4 saem v4] [security] Fix permissions of the related_concept_scheme permission

Sylvain Thenault sylvain.thenault at logilab.fr
Wed May 10 10:13:28 CEST 2017


# HG changeset patch
# User Sylvain Thénault <sylvain.thenault at logilab.fr>
# Date 1492789138 -7200
#      Fri Apr 21 17:38:58 2017 +0200
# Node ID beb952ea8e9e9f180efdeda9191e4b4e8f53b6a2
# Parent  44d11ff63f39124ba3816bbf061a6f6d25c1176a
# Available At http://hg.logilab.org/review/cubes/saem_ref
#              hg pull http://hg.logilab.org/review/cubes/saem_ref -r beb952ea8e9e
[security] Fix permissions of the related_concept_scheme permission

It should depends on permissions of the associated organization unit.

diff --git a/cubicweb_saem_ref/migration/0.15.3_Any.py b/cubicweb_saem_ref/migration/0.15.3_Any.py
--- a/cubicweb_saem_ref/migration/0.15.3_Any.py
+++ b/cubicweb_saem_ref/migration/0.15.3_Any.py
@@ -1,4 +1,4 @@
 for etype in ('ChronologicalRelation', 'HierarchicalRelation',
               'AssociationRelation', 'ConceptScheme',
-              'use_profile'):
+              'use_profile', 'related_concept_scheme'):
     sync_schema_props_perms(etype)
diff --git a/cubicweb_saem_ref/schema.py b/cubicweb_saem_ref/schema.py
--- a/cubicweb_saem_ref/schema.py
+++ b/cubicweb_saem_ref/schema.py
@@ -318,10 +318,11 @@ class phone_number(RelationDefinition):
     object = 'PhoneNumber'
     cardinality = '*1'
     composite = 'subject'
 
 
+ at authority_permissions_rdef
 class related_concept_scheme(RelationDefinition):
     subject = 'OrganizationUnit'
     object = 'ConceptScheme'
     cardinality = '**'
     description = _('concept schemes used by the agent')
diff --git a/test/test_security.py b/test/test_security.py
--- a/test/test_security.py
+++ b/test/test_security.py
@@ -158,25 +158,28 @@ class NonManagerUserTC(CubicWebTC):
         with self.admin_access.cnx() as cnx:
             other_authority = testutils.authority_with_naa(cnx, name=u'other authority')
             other_unit = testutils.organization_unit(
                 cnx, u'arch', archival_roles=[u'archival'], authority=other_authority)
             profile = testutils.setup_profile(cnx)
+            scheme = testutils.scheme_for_type(cnx, u'seda_keyword_type_to', None)
             cnx.commit()
             profile.cw_adapt_to('IWorkflowable').fire_transition('publish')
             cnx.commit()
 
             other_authority_eid = other_authority.eid
             other_unit_eid = other_unit.eid
             profile_eid = profile.eid
+            scheme_eid = scheme.eid
 
         with self.new_access(self.login).cnx() as cnx:
             roles = (u'archival', u'deposit')
             unit = testutils.organization_unit(
                 cnx, u'arch', archival_roles=roles, authority=self.authority_eid)
             cnx.commit()
             unit.cw_set(name=u'archi',
-                        use_profile=profile_eid)
+                        use_profile=profile_eid,
+                        related_concept_scheme=scheme_eid)
             cnx.commit()
             unit.cw_delete()
             cnx.commit()
             arecord = testutils.authority_record(cnx, name=u'arch', kind=u'authority')
             unit.cw_set(authority_record=arecord)
@@ -190,10 +193,12 @@ class NonManagerUserTC(CubicWebTC):
             with self.assertUnauthorized(cnx):
                 other_unit.cw_set(name=u'archi')
             with self.assertUnauthorized(cnx):
                 other_unit.cw_set(use_profile=profile_eid)
             with self.assertUnauthorized(cnx):
+                other_unit.cw_set(related_concept_scheme=scheme_eid)
+            with self.assertUnauthorized(cnx):
                 other_unit.cw_delete()
             with self.assertUnauthorized(cnx):
                 other_arecord = testutils.authority_record(cnx, name=u'other arch',
                                                            kind=u'authority')
                 other_unit.cw_set(authority_record=other_arecord)


More information about the saem-devel mailing list