[PATCH 2 of 2 eac] [schema] Fix agent kind permission so that no one can create new kind

Sylvain Thenault sylvain.thenault at logilab.fr
Thu May 18 16:51:44 CEST 2017


# HG changeset patch
# User Sylvain Thénault <sylvain.thenault at logilab.fr>
# Date 1495118998 -7200
#      Thu May 18 16:49:58 2017 +0200
# Node ID a3de322ee413f8e23fda223f01874b9d1e07079d
# Parent  1583346d51abe3ab0600c73834e3dcb203c1413c
[schema] Fix agent kind permission so that no one can create new kind

even managers.

Notice the modified test was rather clumsy, it was only passing because no
commit was done (non-managers users were already missing the permission to
create new kinds).

Closes #17079137

diff --git a/cubicweb_eac/migration/0.5.1_Any.py b/cubicweb_eac/migration/0.5.1_Any.py
new file mode 100644
--- /dev/null
+++ b/cubicweb_eac/migration/0.5.1_Any.py
@@ -0,0 +1,1 @@
+sync_schema_props_perms('AgentKind')
diff --git a/cubicweb_eac/schema.py b/cubicweb_eac/schema.py
--- a/cubicweb_eac/schema.py
+++ b/cubicweb_eac/schema.py
@@ -138,11 +138,11 @@ class postal_address(ComputedRelation):
 
 class AgentKind(EntityType):
     """Kind of an authority record (e.g. "person", "authority" or "family")"""
     __permissions__ = {
         'read': ('managers', 'users', 'guests'),
-        'add': ('managers', ),
+        'add': (),
         'update': (),
         'delete': (),
     }
     name = String(required=True, unique=True, internationalizable=True)
 
diff --git a/test/test_schema.py b/test/test_schema.py
--- a/test/test_schema.py
+++ b/test/test_schema.py
@@ -143,14 +143,12 @@ class SecurityTC(CubicWebTC):
                 kind.cw_set(name=u'gloups')
             with self.assertUnauthorized(cnx):
                 kind.cw_delete()
 
         with self.admin_access.cnx() as cnx:
-            self.create_user(cnx, login=u'toto', groups=('users', 'guests'))
-            cnx.commit()
-        with self.new_access('toto').cnx() as cnx:
-            cnx.create_entity('AgentKind', name=u'new')
+            with self.assertUnauthorized(cnx):
+                cnx.create_entity('AgentKind', name=u'new')
 
     def test_agent_kind_relation(self):
         """Test we can only change kind from unknown to another."""
         with self.admin_access.cnx() as cnx:
             record = testutils.authority_record(cnx, u'bob', kind=u'unknown-agent-kind')


More information about the saem-devel mailing list