[PATCH 2 of 2 eac] [schema] Fix agent kind permission so that no one can create new kind

Sylvain Thenault sylvain.thenault at logilab.fr
Fri May 19 10:47:19 CEST 2017


# HG changeset patch
# User Sylvain Thénault <sylvain.thenault at logilab.fr>
# Date 1495118998 -7200
#      Thu May 18 16:49:58 2017 +0200
# Node ID b1080cd1062ec3db7873e8c8d5615c89d94f00f3
# Parent  9e03d0d69d8f6f416bb70f7188d619d0568f9edc
# Available At https://hg.logilab.org/review/cubes/eac
#              hg pull https://hg.logilab.org/review/cubes/eac -r b1080cd1062e
[schema] Fix agent kind permission so that no one can create new kind

even managers.

Notice the modified test was rather clumsy, it was only passing because no
commit was done (non-managers users were already missing the permission to
create new kinds).

Closes #17079137

diff --git a/cubicweb_eac/migration/0.5.1_Any.py b/cubicweb_eac/migration/0.5.1_Any.py
new file mode 100644
--- /dev/null
+++ b/cubicweb_eac/migration/0.5.1_Any.py
@@ -0,0 +1,1 @@
+sync_schema_props_perms('AgentKind')
diff --git a/cubicweb_eac/schema.py b/cubicweb_eac/schema.py
--- a/cubicweb_eac/schema.py
+++ b/cubicweb_eac/schema.py
@@ -138,11 +138,11 @@ class postal_address(ComputedRelation):
 
 class AgentKind(EntityType):
     """Kind of an authority record (e.g. "person", "authority" or "family")"""
     __permissions__ = {
         'read': ('managers', 'users', 'guests'),
-        'add': ('managers', ),
+        'add': (),
         'update': (),
         'delete': (),
     }
     name = String(required=True, unique=True, internationalizable=True)
 
diff --git a/test/test_schema.py b/test/test_schema.py
--- a/test/test_schema.py
+++ b/test/test_schema.py
@@ -143,14 +143,12 @@ class SecurityTC(CubicWebTC):
                 kind.cw_set(name=u'gloups')
             with self.assertUnauthorized(cnx):
                 kind.cw_delete()
 
         with self.admin_access.cnx() as cnx:
-            self.create_user(cnx, login=u'toto', groups=('users', 'guests'))
-            cnx.commit()
-        with self.new_access('toto').cnx() as cnx:
-            cnx.create_entity('AgentKind', name=u'new')
+            with self.assertUnauthorized(cnx):
+                cnx.create_entity('AgentKind', name=u'new')
 
     def test_agent_kind_relation(self):
         """Test we can only change kind from unknown to another."""
         with self.admin_access.cnx() as cnx:
             record = testutils.authority_record(cnx, u'bob', kind=u'unknown-agent-kind')


More information about the saem-devel mailing list