server/test/unittest_security.py
author Julien Cristau <julien.cristau@logilab.fr>
Wed, 09 Dec 2015 14:20:30 +0100
changeset 10963 9b1c7f337eb3
parent 10769 c45f4bcff3aa
permissions -rw-r--r--
[devtools] stop using datetime.now() in cwctl newcube and i18ncube
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
9981
7099bbd685aa [hooks/security] allow edition of attributes with permissive permissions
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9586
diff changeset
     1
# copyright 2003-2014 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
5421
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5419
diff changeset
     2
# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5419
diff changeset
     3
#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5419
diff changeset
     4
# This file is part of CubicWeb.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5419
diff changeset
     5
#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5419
diff changeset
     6
# CubicWeb is free software: you can redistribute it and/or modify it under the
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5419
diff changeset
     7
# terms of the GNU Lesser General Public License as published by the Free
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5419
diff changeset
     8
# Software Foundation, either version 2.1 of the License, or (at your option)
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5419
diff changeset
     9
# any later version.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5419
diff changeset
    10
#
5424
8ecbcbff9777 replace logilab-common by CubicWeb in disclaimer
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5421
diff changeset
    11
# CubicWeb is distributed in the hope that it will be useful, but WITHOUT
5421
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5419
diff changeset
    12
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5419
diff changeset
    13
# FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5419
diff changeset
    14
# details.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5419
diff changeset
    15
#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5419
diff changeset
    16
# You should have received a copy of the GNU Lesser General Public License along
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5419
diff changeset
    17
# with CubicWeb.  If not, see <http://www.gnu.org/licenses/>.
5886
00a78298d30d cleanups
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5426
diff changeset
    18
"""functional tests for server'security"""
00a78298d30d cleanups
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5426
diff changeset
    19
10609
e2d8e81bfe68 [py3k] import range using six.moves
Rémi Cardona <remi.cardona@logilab.fr>
parents: 10600
diff changeset
    20
from six.moves import range
e2d8e81bfe68 [py3k] import range using six.moves
Rémi Cardona <remi.cardona@logilab.fr>
parents: 10600
diff changeset
    21
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
    22
from logilab.common.testlib import unittest_main
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
    23
2773
b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2608
diff changeset
    24
from cubicweb.devtools.testlib import CubicWebTC
8546
3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login
Julien Cristau <julien.cristau@logilab.fr>
parents: 8488
diff changeset
    25
from cubicweb import Unauthorized, ValidationError, QueryError, Binary
8452
1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156)
Florent Cayré <florent.cayre@logilab.fr>
parents: 8075
diff changeset
    26
from cubicweb.schema import ERQLExpression
9954
79d34ba48612 [CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9782
diff changeset
    27
from cubicweb.server.querier import get_local_checks, check_relations_read_access
8546
3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login
Julien Cristau <julien.cristau@logilab.fr>
parents: 8488
diff changeset
    28
from cubicweb.server.utils import _CRYPTO_CTX
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    29
8452
1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156)
Florent Cayré <florent.cayre@logilab.fr>
parents: 8075
diff changeset
    30
2773
b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2608
diff changeset
    31
class BaseSecurityTC(CubicWebTC):
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    32
7072
bcf96f2a4c5d [test] properly close connections
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 6410
diff changeset
    33
    def setup_database(self):
bcf96f2a4c5d [test] properly close connections
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 6410
diff changeset
    34
        super(BaseSecurityTC, self).setup_database()
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
    35
        with self.admin_access.client_cnx() as cnx:
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
    36
            self.create_user(cnx, u'iaminusersgrouponly')
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
    37
            hash = _CRYPTO_CTX.encrypt('oldpassword', scheme='des_crypt')
10769
c45f4bcff3aa [server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents: 10609
diff changeset
    38
            self.create_user(cnx, u'oldpassword', password=Binary(hash.encode('ascii')))
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 1398
diff changeset
    39
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    40
class LowLevelSecurityFunctionTC(BaseSecurityTC):
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 1398
diff changeset
    41
9954
79d34ba48612 [CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9782
diff changeset
    42
    def test_check_relation_read_access(self):
79d34ba48612 [CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9782
diff changeset
    43
        rql = u'Personne U WHERE U nom "managers"'
79d34ba48612 [CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9782
diff changeset
    44
        rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0]
79d34ba48612 [CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9782
diff changeset
    45
        nom = self.repo.schema['Personne'].rdef('nom')
79d34ba48612 [CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9782
diff changeset
    46
        with self.temporary_permissions((nom, {'read': ('users', 'managers')})):
79d34ba48612 [CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9782
diff changeset
    47
            with self.admin_access.repo_cnx() as cnx:
79d34ba48612 [CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9782
diff changeset
    48
                self.repo.vreg.solutions(cnx, rqlst, None)
79d34ba48612 [CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9782
diff changeset
    49
                check_relations_read_access(cnx, rqlst, {})
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
    50
            with self.new_access(u'anon').repo_cnx() as cnx:
9954
79d34ba48612 [CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9782
diff changeset
    51
                self.assertRaises(Unauthorized,
79d34ba48612 [CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9782
diff changeset
    52
                                  check_relations_read_access,
79d34ba48612 [CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9782
diff changeset
    53
                                  cnx, rqlst, {})
79d34ba48612 [CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9782
diff changeset
    54
                self.assertRaises(Unauthorized, cnx.execute, rql)
79d34ba48612 [CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9782
diff changeset
    55
79d34ba48612 [CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9782
diff changeset
    56
    def test_get_local_checks(self):
79d34ba48612 [CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9782
diff changeset
    57
        rql = u'Personne U WHERE U nom "managers"'
3252
c0e10da6f1cf tests update
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2920
diff changeset
    58
        rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0]
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
    59
        with self.temporary_permissions(Personne={'read': ('users', 'managers')}):
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
    60
            with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
    61
                self.repo.vreg.solutions(cnx, rqlst, None)
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
    62
                solution = rqlst.solutions[0]
9954
79d34ba48612 [CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9782
diff changeset
    63
                localchecks = get_local_checks(cnx, rqlst, solution)
79d34ba48612 [CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9782
diff changeset
    64
                self.assertEqual({}, localchecks)
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
    65
            with self.new_access(u'anon').repo_cnx() as cnx:
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
    66
                self.assertRaises(Unauthorized,
9954
79d34ba48612 [CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9782
diff changeset
    67
                                  get_local_checks,
79d34ba48612 [CWEP002] refactor rql read security checking
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 9782
diff changeset
    68
                                  cnx, rqlst, solution)
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
    69
                self.assertRaises(Unauthorized, cnx.execute, rql)
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 1398
diff changeset
    70
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    71
    def test_upassword_not_selectable(self):
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
    72
        with self.admin_access.repo_cnx() as cnx:
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
    73
            self.assertRaises(Unauthorized,
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
    74
                              cnx.execute, 'Any X,P WHERE X is CWUser, X upassword P')
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
    75
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
    76
            self.assertRaises(Unauthorized,
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
    77
                              cnx.execute, 'Any X,P WHERE X is CWUser, X upassword P')
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 1398
diff changeset
    78
8546
3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login
Julien Cristau <julien.cristau@logilab.fr>
parents: 8488
diff changeset
    79
    def test_update_password(self):
9777
b2e47617a94e [tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9586
diff changeset
    80
        """Ensure that if a user's password is stored with a deprecated hash,
b2e47617a94e [tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9586
diff changeset
    81
        it will be updated on next login
b2e47617a94e [tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9586
diff changeset
    82
        """
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
    83
        with self.repo.internal_cnx() as cnx:
10769
c45f4bcff3aa [server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents: 10609
diff changeset
    84
            oldhash = cnx.system_sql("SELECT cw_upassword FROM cw_CWUser "
c45f4bcff3aa [server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents: 10609
diff changeset
    85
                                         "WHERE cw_login = 'oldpassword'").fetchone()[0]
c45f4bcff3aa [server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents: 10609
diff changeset
    86
            oldhash = self.repo.system_source.binary_to_str(oldhash)
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
    87
            self.repo.close(self.repo.connect('oldpassword', password='oldpassword'))
10769
c45f4bcff3aa [server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents: 10609
diff changeset
    88
            newhash = cnx.system_sql("SELECT cw_upassword FROM cw_CWUser "
c45f4bcff3aa [server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents: 10609
diff changeset
    89
                                     "WHERE cw_login = 'oldpassword'").fetchone()[0]
c45f4bcff3aa [server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents: 10609
diff changeset
    90
            newhash = self.repo.system_source.binary_to_str(newhash)
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
    91
            self.assertNotEqual(oldhash, newhash)
10769
c45f4bcff3aa [server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents: 10609
diff changeset
    92
            self.assertTrue(newhash.startswith(b'$6$'))
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
    93
            self.repo.close(self.repo.connect('oldpassword', password='oldpassword'))
10769
c45f4bcff3aa [server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents: 10609
diff changeset
    94
            newnewhash = cnx.system_sql("SELECT cw_upassword FROM cw_CWUser WHERE "
c45f4bcff3aa [server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents: 10609
diff changeset
    95
                                        "cw_login = 'oldpassword'").fetchone()[0]
c45f4bcff3aa [server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents: 10609
diff changeset
    96
            newnewhash = self.repo.system_source.binary_to_str(newnewhash)
c45f4bcff3aa [server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents: 10609
diff changeset
    97
            self.assertEqual(newhash, newnewhash)
8546
3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login
Julien Cristau <julien.cristau@logilab.fr>
parents: 8488
diff changeset
    98
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 1398
diff changeset
    99
5888
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5886
diff changeset
   100
class SecurityRewritingTC(BaseSecurityTC):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5886
diff changeset
   101
    def hijack_source_execute(self):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5886
diff changeset
   102
        def syntax_tree_search(*args, **kwargs):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5886
diff changeset
   103
            self.query = (args, kwargs)
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5886
diff changeset
   104
            return []
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5886
diff changeset
   105
        self.repo.system_source.syntax_tree_search = syntax_tree_search
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5886
diff changeset
   106
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5886
diff changeset
   107
    def tearDown(self):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5886
diff changeset
   108
        self.repo.system_source.__dict__.pop('syntax_tree_search', None)
7072
bcf96f2a4c5d [test] properly close connections
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 6410
diff changeset
   109
        super(SecurityRewritingTC, self).tearDown()
5888
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5886
diff changeset
   110
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5886
diff changeset
   111
    def test_not_relation_read_security(self):
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   112
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   113
            self.hijack_source_execute()
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   114
            cnx.execute('Any U WHERE NOT A todo_by U, A is Affaire')
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   115
            self.assertEqual(self.query[0][1].as_string(),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   116
                              'Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   117
            cnx.execute('Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   118
            self.assertEqual(self.query[0][1].as_string(),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   119
                              'Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')
5888
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5886
diff changeset
   120
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   121
class SecurityTC(BaseSecurityTC):
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 1398
diff changeset
   122
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   123
    def setUp(self):
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   124
        super(SecurityTC, self).setUp()
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   125
        # implicitly test manager can add some entities
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   126
        with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   127
            cnx.execute("INSERT Affaire X: X sujet 'cool'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   128
            cnx.execute("INSERT Societe X: X nom 'logilab'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   129
            cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   130
            cnx.execute('INSERT CWGroup X: X name "staff"')
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   131
            cnx.commit()
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   132
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   133
    def test_insert_security(self):
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   134
        with self.new_access(u'anon').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   135
            cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   136
            self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   137
            self.assertEqual(cnx.execute('Personne X').rowcount, 1)
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 1398
diff changeset
   138
10153
85cbf16fbb57 [security] Test case and fix for an INSERT security hole
Julien Cristau <julien.cristau@logilab.fr>
parents: 9981
diff changeset
   139
    def test_insert_security_2(self):
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   140
        with self.new_access(u'anon').repo_cnx() as cnx:
10158
efc8645ece43 [server/test] convert new test to 3.19 API
Julien Cristau <julien.cristau@logilab.fr>
parents: 10156
diff changeset
   141
            cnx.execute("INSERT Affaire X")
efc8645ece43 [server/test] convert new test to 3.19 API
Julien Cristau <julien.cristau@logilab.fr>
parents: 10156
diff changeset
   142
            self.assertRaises(Unauthorized, cnx.commit)
10153
85cbf16fbb57 [security] Test case and fix for an INSERT security hole
Julien Cristau <julien.cristau@logilab.fr>
parents: 9981
diff changeset
   143
            # anon has no read permission on Affaire entities, so
85cbf16fbb57 [security] Test case and fix for an INSERT security hole
Julien Cristau <julien.cristau@logilab.fr>
parents: 9981
diff changeset
   144
            # rowcount == 0
10158
efc8645ece43 [server/test] convert new test to 3.19 API
Julien Cristau <julien.cristau@logilab.fr>
parents: 10156
diff changeset
   145
            self.assertEqual(cnx.execute('Affaire X').rowcount, 0)
10153
85cbf16fbb57 [security] Test case and fix for an INSERT security hole
Julien Cristau <julien.cristau@logilab.fr>
parents: 9981
diff changeset
   146
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   147
    def test_insert_rql_permission(self):
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   148
        # test user can only add une affaire related to a societe he owns
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   149
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   150
            cnx.execute("INSERT Affaire X: X sujet 'cool'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   151
            self.assertRaises(Unauthorized, cnx.commit)
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   152
        # test nothing has actually been inserted
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   153
        with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   154
            self.assertEqual(cnx.execute('Affaire X').rowcount, 1)
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   155
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   156
            cnx.execute("INSERT Affaire X: X sujet 'cool'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   157
            cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   158
            cnx.execute("SET A concerne S WHERE A sujet 'cool', S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   159
            cnx.commit()
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 1398
diff changeset
   160
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   161
    def test_update_security_1(self):
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   162
        with self.new_access(u'anon').repo_cnx() as cnx:
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   163
            # local security check
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   164
            cnx.execute( "SET X nom 'bidulechouette' WHERE X is Personne")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   165
            self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   166
        with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   167
            self.assertEqual(cnx.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0)
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 1398
diff changeset
   168
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   169
    def test_update_security_2(self):
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   170
        with self.temporary_permissions(Personne={'read': ('users', 'managers'),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   171
                                                  'add': ('guests', 'users', 'managers')}):
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   172
            with self.new_access(u'anon').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   173
                self.assertRaises(Unauthorized, cnx.execute,
9777
b2e47617a94e [tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9586
diff changeset
   174
                                  "SET X nom 'bidulechouette' WHERE X is Personne")
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   175
        # test nothing has actually been inserted
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   176
        with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   177
            self.assertEqual(cnx.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0)
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   178
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   179
    def test_update_security_3(self):
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   180
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   181
            cnx.execute("INSERT Personne X: X nom 'biduuule'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   182
            cnx.execute("INSERT Societe X: X nom 'looogilab'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   183
            cnx.execute("SET X travaille S WHERE X nom 'biduuule', S nom 'looogilab'")
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 1398
diff changeset
   184
10114
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9984
diff changeset
   185
    def test_insert_immutable_attribute_update(self):
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9984
diff changeset
   186
        with self.admin_access.repo_cnx() as cnx:
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9984
diff changeset
   187
            cnx.create_entity('Old', name=u'Babar')
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9984
diff changeset
   188
            cnx.commit()
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9984
diff changeset
   189
            # this should be equivalent
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9984
diff changeset
   190
            o = cnx.create_entity('Old')
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9984
diff changeset
   191
            o.cw_set(name=u'Celeste')
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9984
diff changeset
   192
            cnx.commit()
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 1398
diff changeset
   193
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   194
    def test_update_rql_permission(self):
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   195
        with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   196
            cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   197
            cnx.commit()
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   198
        # test user can only update une affaire related to a societe he owns
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   199
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   200
            cnx.execute("SET X sujet 'pascool' WHERE X is Affaire")
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   201
            # this won't actually do anything since the selection query won't return anything
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   202
            cnx.commit()
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   203
            # to actually get Unauthorized exception, try to update an entity we can read
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   204
            cnx.execute("SET X nom 'toto' WHERE X is Societe")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   205
            self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   206
            cnx.execute("INSERT Affaire X: X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   207
            cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   208
            cnx.execute("SET A concerne S WHERE A sujet 'pascool', S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   209
            cnx.execute("SET X sujet 'habahsicestcool' WHERE X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   210
            cnx.commit()
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 1398
diff changeset
   211
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   212
    def test_delete_security(self):
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   213
        # FIXME: sample below fails because we don't detect "owner" can't delete
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   214
        # user anyway, and since no user with login == 'bidule' exists, no
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   215
        # exception is raised
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   216
        #user._groups = {'guests':1}
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   217
        #self.assertRaises(Unauthorized,
1398
5fe84a5f7035 rename internal entity types to have CW prefix instead of E
sylvain.thenault@logilab.fr
parents: 389
diff changeset
   218
        #                  self.o.execute, user, "DELETE CWUser X WHERE X login 'bidule'")
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   219
        # check local security
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   220
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   221
            self.assertRaises(Unauthorized, cnx.execute, "DELETE CWGroup Y WHERE Y name 'staff'")
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 1398
diff changeset
   222
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   223
    def test_delete_rql_permission(self):
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   224
        with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   225
            cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   226
            cnx.commit()
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   227
        # test user can only dele une affaire related to a societe he owns
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   228
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   229
            # this won't actually do anything since the selection query won't return anything
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   230
            cnx.execute("DELETE Affaire X")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   231
            cnx.commit()
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   232
            # to actually get Unauthorized exception, try to delete an entity we can read
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   233
            self.assertRaises(Unauthorized, cnx.execute, "DELETE Societe S")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   234
            self.assertRaises(QueryError, cnx.commit) # can't commit anymore
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   235
            cnx.rollback()
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   236
            cnx.execute("INSERT Affaire X: X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   237
            cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   238
            cnx.execute("SET A concerne S WHERE A sujet 'pascool', S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   239
            cnx.commit()
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   240
##         # this one should fail since it will try to delete two affaires, one authorized
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   241
##         # and the other not
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   242
##         self.assertRaises(Unauthorized, cnx.execute, "DELETE Affaire X")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   243
            cnx.execute("DELETE Affaire X WHERE X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   244
            cnx.commit()
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   245
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   246
    def test_insert_relation_rql_permission(self):
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   247
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   248
            cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   249
            # should raise Unauthorized since user don't own S though this won't
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   250
            # actually do anything since the selection query won't return
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   251
            # anything
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   252
            cnx.commit()
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   253
            # to actually get Unauthorized exception, try to insert a relation
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   254
            # were we can read both entities
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   255
            rset = cnx.execute('Personne P')
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   256
            self.assertEqual(len(rset), 1)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   257
            ent = rset.get_entity(0, 0)
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   258
            self.assertFalse(cnx.execute('Any P,S WHERE P travaille S,P is Personne, S is Societe'))
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   259
            self.assertRaises(Unauthorized, ent.cw_check_perm, 'update')
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   260
            self.assertRaises(Unauthorized,
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   261
                              cnx.execute, "SET P travaille S WHERE P is Personne, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   262
            self.assertRaises(QueryError, cnx.commit) # can't commit anymore
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   263
            cnx.rollback()
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   264
            # test nothing has actually been inserted:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   265
            self.assertFalse(cnx.execute('Any P,S WHERE P travaille S,P is Personne, S is Societe'))
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   266
            cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   267
            cnx.execute("SET A concerne S WHERE A is Affaire, S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   268
            cnx.commit()
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   269
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   270
    def test_delete_relation_rql_permission(self):
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   271
        with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   272
            cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   273
            cnx.commit()
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   274
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   275
            # this won't actually do anything since the selection query won't return anything
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   276
            cnx.execute("DELETE A concerne S")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   277
            cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   278
        with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   279
            # to actually get Unauthorized exception, try to delete a relation we can read
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   280
            eid = cnx.execute("INSERT Affaire X: X sujet 'pascool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   281
            cnx.execute('SET X owned_by U WHERE X eid %(x)s, U login "iaminusersgrouponly"',
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   282
                         {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   283
            cnx.execute("SET A concerne S WHERE A sujet 'pascool', S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   284
            cnx.commit()
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   285
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   286
            self.assertRaises(Unauthorized, cnx.execute, "DELETE A concerne S")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   287
            self.assertRaises(QueryError, cnx.commit) # can't commit anymore
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   288
            cnx.rollback()
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   289
            cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   290
            cnx.execute("SET A concerne S WHERE A is Affaire, S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   291
            cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   292
            cnx.execute("DELETE A concerne S WHERE S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   293
            cnx.commit()
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   294
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   295
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   296
    def test_user_can_change_its_upassword(self):
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   297
        with self.admin_access.repo_cnx() as cnx:
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   298
            ueid = self.create_user(cnx, u'user').eid
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   299
        with self.new_access(u'user').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   300
            cnx.execute('SET X upassword %(passwd)s WHERE X eid %(x)s',
10769
c45f4bcff3aa [server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents: 10609
diff changeset
   301
                       {'x': ueid, 'passwd': b'newpwd'})
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   302
            cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   303
        self.repo.close(self.repo.connect('user', password='newpwd'))
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   304
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   305
    def test_user_cant_change_other_upassword(self):
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   306
        with self.admin_access.repo_cnx() as cnx:
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   307
            ueid = self.create_user(cnx, u'otheruser').eid
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   308
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   309
            cnx.execute('SET X upassword %(passwd)s WHERE X eid %(x)s',
10769
c45f4bcff3aa [server] fix unittest_security for py3k
Julien Cristau <julien.cristau@logilab.fr>
parents: 10609
diff changeset
   310
                       {'x': ueid, 'passwd': b'newpwd'})
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   311
            self.assertRaises(Unauthorized, cnx.commit)
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   312
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   313
    # read security test
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 1398
diff changeset
   314
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   315
    def test_read_base(self):
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   316
        with self.temporary_permissions(Personne={'read': ('users', 'managers')}):
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   317
            with self.new_access(u'anon').repo_cnx() as cnx:
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   318
                self.assertRaises(Unauthorized,
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   319
                                  cnx.execute, 'Personne U where U nom "managers"')
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   320
321
247947250382 fix security bug w/ query using 'NOT X eid 123'
Sylvain Thenault <sylvain.thenault@logilab.fr>
parents: 0
diff changeset
   321
    def test_read_erqlexpr_base(self):
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   322
        with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   323
            eid = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   324
            cnx.commit()
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   325
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   326
            rset = cnx.execute('Affaire X')
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   327
            self.assertEqual(rset.rows, [])
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   328
            self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x': eid})
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   329
            # cache test
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   330
            self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   331
            aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   332
            soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   333
            cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   334
            cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   335
            rset = cnx.execute('Any X WHERE X eid %(x)s', {'x': aff2})
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   336
            self.assertEqual(rset.rows, [[aff2]])
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   337
            # more cache test w/ NOT eid
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   338
            rset = cnx.execute('Affaire X WHERE NOT X eid %(x)s', {'x': eid})
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   339
            self.assertEqual(rset.rows, [[aff2]])
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   340
            rset = cnx.execute('Affaire X WHERE NOT X eid %(x)s', {'x': aff2})
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   341
            self.assertEqual(rset.rows, [])
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   342
            # test can't update an attribute of an entity that can't be readen
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   343
            self.assertRaises(Unauthorized, cnx.execute,
9777
b2e47617a94e [tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9586
diff changeset
   344
                              'SET X sujet "hacked" WHERE X eid %(x)s', {'x': eid})
4765
c33d12865641 more tests
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4711
diff changeset
   345
c33d12865641 more tests
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4711
diff changeset
   346
c33d12865641 more tests
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4711
diff changeset
   347
    def test_entity_created_in_transaction(self):
c33d12865641 more tests
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4711
diff changeset
   348
        affschema = self.schema['Affaire']
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   349
        with self.temporary_permissions(Affaire={'read': affschema.permissions['add']}):
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   350
            with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   351
                aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   352
                # entity created in transaction are readable *by eid*
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   353
                self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':aff2}))
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   354
                # XXX would be nice if it worked
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   355
                rset = cnx.execute("Affaire X WHERE X sujet 'cool'")
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   356
                self.assertEqual(len(rset), 0)
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   357
                self.assertRaises(Unauthorized, cnx.commit)
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 1398
diff changeset
   358
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   359
    def test_read_erqlexpr_has_text1(self):
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   360
        with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   361
            aff1 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   362
            card1 = cnx.execute("INSERT Card X: X title 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   363
            cnx.execute('SET X owned_by U WHERE X eid %(x)s, U login "iaminusersgrouponly"',
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   364
                        {'x': card1})
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   365
            cnx.commit()
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   366
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   367
            aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   368
            soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   369
            cnx.execute("SET A concerne S WHERE A eid %(a)s, S eid %(s)s", {'a': aff2, 's': soc1})
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   370
            cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   371
            self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x':aff1})
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   372
            self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':aff2}))
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   373
            self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':card1}))
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   374
            rset = cnx.execute("Any X WHERE X has_text 'cool'")
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   375
            self.assertEqual(sorted(eid for eid, in rset.rows),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   376
                              [card1, aff2])
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   377
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   378
    def test_read_erqlexpr_has_text2(self):
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   379
        with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   380
            cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   381
            cnx.execute("INSERT Societe X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   382
            cnx.commit()
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   383
        with self.temporary_permissions(Personne={'read': ('managers',)}):
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   384
            with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   385
                rset = cnx.execute('Any N WHERE N has_text "bidule"')
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   386
                self.assertEqual(len(rset.rows), 1, rset.rows)
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   387
                rset = cnx.execute('Any N WITH N BEING (Any N WHERE N has_text "bidule")')
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   388
                self.assertEqual(len(rset.rows), 1, rset.rows)
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   389
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   390
    def test_read_erqlexpr_optional_rel(self):
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   391
        with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   392
            cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   393
            cnx.execute("INSERT Societe X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   394
            cnx.commit()
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   395
        with self.temporary_permissions(Personne={'read': ('managers',)}):
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   396
            with self.new_access(u'anon').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   397
                rset = cnx.execute('Any N,U WHERE N has_text "bidule", N owned_by U?')
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   398
                self.assertEqual(len(rset.rows), 1, rset.rows)
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   399
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   400
    def test_read_erqlexpr_aggregat(self):
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   401
        with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   402
            cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   403
            cnx.commit()
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   404
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   405
            rset = cnx.execute('Any COUNT(X) WHERE X is Affaire')
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   406
            self.assertEqual(rset.rows, [[0]])
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   407
            aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   408
            soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   409
            cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   410
            cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   411
            rset = cnx.execute('Any COUNT(X) WHERE X is Affaire')
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   412
            self.assertEqual(rset.rows, [[1]])
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   413
            rset = cnx.execute('Any ETN, COUNT(X) GROUPBY ETN WHERE X is ET, ET name ETN')
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   414
            values = dict(rset)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   415
            self.assertEqual(values['Affaire'], 1)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   416
            self.assertEqual(values['Societe'], 2)
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   417
            rset = cnx.execute('Any ETN, COUNT(X) GROUPBY ETN WHERE X is ET, ET name ETN '
9777
b2e47617a94e [tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9586
diff changeset
   418
                              'WITH X BEING ((Affaire X) UNION (Societe X))')
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   419
            self.assertEqual(len(rset), 2)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   420
            values = dict(rset)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   421
            self.assertEqual(values['Affaire'], 1)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   422
            self.assertEqual(values['Societe'], 2)
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 1398
diff changeset
   423
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   424
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   425
    def test_attribute_security(self):
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   426
        with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   427
            # only managers should be able to edit the 'test' attribute of Personne entities
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   428
            eid = cnx.execute("INSERT Personne X: X nom 'bidule', "
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   429
                               "X web 'http://www.debian.org', X test TRUE")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   430
            cnx.execute('SET X test FALSE WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   431
            cnx.commit()
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   432
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   433
            cnx.execute("INSERT Personne X: X nom 'bidule', "
9777
b2e47617a94e [tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9586
diff changeset
   434
                       "X web 'http://www.debian.org', X test TRUE")
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   435
            self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   436
            cnx.execute("INSERT Personne X: X nom 'bidule', "
9777
b2e47617a94e [tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9586
diff changeset
   437
                       "X web 'http://www.debian.org', X test FALSE")
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   438
            self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   439
            eid = cnx.execute("INSERT Personne X: X nom 'bidule', "
9777
b2e47617a94e [tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9586
diff changeset
   440
                             "X web 'http://www.debian.org'")[0][0]
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   441
            cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   442
            cnx.execute('SET X test FALSE WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   443
            self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   444
            cnx.execute('SET X test TRUE WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   445
            self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   446
            cnx.execute('SET X web "http://www.logilab.org" WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   447
            cnx.commit()
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   448
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9984
793377697c81 merge 3.18.6 into 3.19
Julien Cristau <julien.cristau@logilab.fr>
parents: 9782 9981
diff changeset
   449
            cnx.execute('INSERT Frozable F: F name "Foo"')
793377697c81 merge 3.18.6 into 3.19
Julien Cristau <julien.cristau@logilab.fr>
parents: 9782 9981
diff changeset
   450
            cnx.commit()
793377697c81 merge 3.18.6 into 3.19
Julien Cristau <julien.cristau@logilab.fr>
parents: 9782 9981
diff changeset
   451
            cnx.execute('SET F name "Bar" WHERE F is Frozable')
793377697c81 merge 3.18.6 into 3.19
Julien Cristau <julien.cristau@logilab.fr>
parents: 9782 9981
diff changeset
   452
            cnx.commit()
793377697c81 merge 3.18.6 into 3.19
Julien Cristau <julien.cristau@logilab.fr>
parents: 9782 9981
diff changeset
   453
            cnx.execute('SET F name "BaBar" WHERE F is Frozable')
793377697c81 merge 3.18.6 into 3.19
Julien Cristau <julien.cristau@logilab.fr>
parents: 9782 9981
diff changeset
   454
            cnx.execute('SET F frozen True WHERE F is Frozable')
9981
7099bbd685aa [hooks/security] allow edition of attributes with permissive permissions
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9586
diff changeset
   455
            with self.assertRaises(Unauthorized):
9984
793377697c81 merge 3.18.6 into 3.19
Julien Cristau <julien.cristau@logilab.fr>
parents: 9782 9981
diff changeset
   456
                cnx.commit()
793377697c81 merge 3.18.6 into 3.19
Julien Cristau <julien.cristau@logilab.fr>
parents: 9782 9981
diff changeset
   457
            cnx.rollback()
793377697c81 merge 3.18.6 into 3.19
Julien Cristau <julien.cristau@logilab.fr>
parents: 9782 9981
diff changeset
   458
            cnx.execute('SET F frozen True WHERE F is Frozable')
793377697c81 merge 3.18.6 into 3.19
Julien Cristau <julien.cristau@logilab.fr>
parents: 9782 9981
diff changeset
   459
            cnx.commit()
793377697c81 merge 3.18.6 into 3.19
Julien Cristau <julien.cristau@logilab.fr>
parents: 9782 9981
diff changeset
   460
            cnx.execute('SET F name "Bar" WHERE F is Frozable')
9981
7099bbd685aa [hooks/security] allow edition of attributes with permissive permissions
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9586
diff changeset
   461
            with self.assertRaises(Unauthorized):
9984
793377697c81 merge 3.18.6 into 3.19
Julien Cristau <julien.cristau@logilab.fr>
parents: 9782 9981
diff changeset
   462
                cnx.commit()
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 1398
diff changeset
   463
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   464
    def test_attribute_security_rqlexpr(self):
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   465
        with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   466
            # Note.para attribute editable by managers or if the note is in "todo" state
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   467
            note = cnx.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   468
            cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   469
            note.cw_adapt_to('IWorkflowable').fire_transition('markasdone')
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   470
            cnx.execute('SET X para "truc" WHERE X eid %(x)s', {'x': note.eid})
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   471
            cnx.commit()
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   472
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   473
            cnx.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note.eid})
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   474
            self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   475
            note2 = cnx.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   476
            cnx.commit()
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   477
            note2.cw_adapt_to('IWorkflowable').fire_transition('markasdone')
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   478
            cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   479
            self.assertEqual(len(cnx.execute('Any X WHERE X in_state S, S name "todo", X eid %(x)s',
9777
b2e47617a94e [tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9586
diff changeset
   480
                                            {'x': note2.eid})),
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   481
                              0)
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   482
            cnx.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid})
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   483
            self.assertRaises(Unauthorized, cnx.commit)
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   484
            note2.cw_adapt_to('IWorkflowable').fire_transition('redoit')
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   485
            cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   486
            cnx.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid})
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   487
            cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   488
            cnx.execute("INSERT Note X: X something 'A'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   489
            self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   490
            cnx.execute("INSERT Note X: X para 'zogzog', X something 'A'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   491
            cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   492
            note = cnx.execute("INSERT Note X").get_entity(0,0)
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   493
            cnx.commit()
9395
96dba2efd16d [hooks/security] provide attribute "add" permission
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8694
diff changeset
   494
            note.cw_set(something=u'B')
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   495
            cnx.commit()
9395
96dba2efd16d [hooks/security] provide attribute "add" permission
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8694
diff changeset
   496
            note.cw_set(something=None, para=u'zogzog')
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   497
            cnx.commit()
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   498
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   499
    def test_attribute_read_security(self):
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   500
        # anon not allowed to see users'login, but they can see users
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   501
        login_rdef = self.repo.schema['CWUser'].rdef('login')
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   502
        with self.temporary_permissions((login_rdef, {'read': ('users', 'managers')}),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   503
                                        CWUser={'read': ('guests', 'users', 'managers')}):
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   504
            with self.new_access(u'anon').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   505
                rset = cnx.execute('CWUser X')
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   506
                self.assertTrue(rset)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   507
                x = rset.get_entity(0, 0)
10463
9add9b7f9df7 [server/test] fix random error in unittest_security
Julien Cristau <julien.cristau@logilab.fr>
parents: 10249
diff changeset
   508
                x.complete()
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   509
                self.assertEqual(x.login, None)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   510
                self.assertTrue(x.creation_date)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   511
                x = rset.get_entity(1, 0)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   512
                x.complete()
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   513
                self.assertEqual(x.login, None)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   514
                self.assertTrue(x.creation_date)
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   515
8452
1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156)
Florent Cayré <florent.cayre@logilab.fr>
parents: 8075
diff changeset
   516
    def test_yams_inheritance_and_security_bug(self):
9777
b2e47617a94e [tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9586
diff changeset
   517
        with self.temporary_permissions(Division={'read': ('managers',
b2e47617a94e [tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9586
diff changeset
   518
                                                           ERQLExpression('X owned_by U'))}):
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   519
            with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   520
                querier = cnx.repo.querier
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   521
                rqlst = querier.parse('Any X WHERE X is_instance_of Societe')
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   522
                querier.solutions(cnx, rqlst, {})
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   523
                querier._annotate(rqlst)
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   524
                plan = querier.plan_factory(rqlst, {}, cnx)
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   525
                plan.preprocess(rqlst)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   526
                self.assertEqual(
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   527
                    rqlst.as_string(),
10249
e38b8d37c5d8 [rqlrewrite] sort possible types when turning is_instance_of into is
Julien Cristau <julien.cristau@logilab.fr>
parents: 10248
diff changeset
   528
                    '(Any X WHERE X is IN(Societe, SubDivision)) UNION '
9777
b2e47617a94e [tests/security] break lines > 100 chars
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9586
diff changeset
   529
                    '(Any X WHERE X is Division, EXISTS(X owned_by %(B)s))')
8452
1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156)
Florent Cayré <florent.cayre@logilab.fr>
parents: 8075
diff changeset
   530
1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156)
Florent Cayré <florent.cayre@logilab.fr>
parents: 8075
diff changeset
   531
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   532
class BaseSchemaSecurityTC(BaseSecurityTC):
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   533
    """tests related to the base schema permission configuration"""
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 1398
diff changeset
   534
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   535
    def test_user_can_delete_object_he_created(self):
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   536
        # even if some other user have changed object'state
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   537
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   538
            # due to security test, affaire has to concerne a societe the user owns
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   539
            cnx.execute('INSERT Societe X: X nom "ARCTIA"')
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   540
            cnx.execute('INSERT Affaire X: X ref "ARCT01", X concerne S WHERE S nom "ARCTIA"')
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   541
            cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   542
        with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   543
            affaire = cnx.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   544
            affaire.cw_adapt_to('IWorkflowable').fire_transition('abort')
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   545
            cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   546
            self.assertEqual(len(cnx.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01"')),
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   547
                             1)
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   548
            self.assertEqual(len(cnx.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01",'
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   549
                                              'X owned_by U, U login "admin"')),
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   550
                             1) # TrInfo at the above state change
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   551
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   552
            cnx.execute('DELETE Affaire X WHERE X ref "ARCT01"')
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   553
            cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   554
            self.assertFalse(cnx.execute('Affaire X'))
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   555
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   556
    def test_users_and_groups_non_readable_by_guests(self):
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   557
        with self.repo.internal_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   558
            admineid = cnx.execute('CWUser U WHERE U login "admin"').rows[0][0]
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   559
        with self.new_access(u'anon').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   560
            anon = cnx.user
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   561
            # anonymous user can only read itself
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   562
            rset = cnx.execute('Any L WHERE X owned_by U, U login L')
8624
7e415f457155 [test] swap order in assert of `test_users_and_groups_non_readable_by_guests`
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents: 8546
diff changeset
   563
            self.assertEqual([['anon']], rset.rows)
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   564
            rset = cnx.execute('CWUser X')
8624
7e415f457155 [test] swap order in assert of `test_users_and_groups_non_readable_by_guests`
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents: 8546
diff changeset
   565
            self.assertEqual([[anon.eid]], rset.rows)
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   566
            # anonymous user can read groups (necessary to check allowed transitions for instance)
10600
180aa08cad48 [tests] Replace use of deprecated TestCase.assert_
Rémi Cardona <remi.cardona@logilab.fr>
parents: 10463
diff changeset
   567
            self.assertTrue(cnx.execute('CWGroup X'))
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   568
            # should only be able to read the anonymous user, not another one
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   569
            self.assertRaises(Unauthorized,
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   570
                              cnx.execute, 'CWUser X WHERE X eid %(x)s', {'x': admineid})
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   571
            rset = cnx.execute('CWUser X WHERE X eid %(x)s', {'x': anon.eid})
8624
7e415f457155 [test] swap order in assert of `test_users_and_groups_non_readable_by_guests`
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents: 8546
diff changeset
   572
            self.assertEqual([[anon.eid]], rset.rows)
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   573
            # but can't modify it
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   574
            cnx.execute('SET X login "toto" WHERE X eid %(x)s', {'x': anon.eid})
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   575
            self.assertRaises(Unauthorized, cnx.commit)
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 1398
diff changeset
   576
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   577
    def test_in_group_relation(self):
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   578
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   579
            rql = u"DELETE U in_group G WHERE U login 'admin'"
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   580
            self.assertRaises(Unauthorized, cnx.execute, rql)
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   581
            rql = u"SET U in_group G WHERE U login 'admin', G name 'users'"
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   582
            self.assertRaises(Unauthorized, cnx.execute, rql)
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   583
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   584
    def test_owned_by(self):
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   585
        with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   586
            cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   587
            cnx.commit()
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   588
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   589
            rql = u"SET X owned_by U WHERE U login 'iaminusersgrouponly', X is Personne"
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   590
            self.assertRaises(Unauthorized, cnx.execute, rql)
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 1398
diff changeset
   591
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   592
    def test_bookmarked_by_guests_security(self):
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   593
        with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   594
            beid1 = cnx.execute('INSERT Bookmark B: B path "?vid=manage", B title "manage"')[0][0]
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   595
            beid2 = cnx.execute('INSERT Bookmark B: B path "?vid=index", B title "index", '
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   596
                                'B bookmarked_by U WHERE U login "anon"')[0][0]
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   597
            cnx.commit()
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   598
        with self.new_access(u'anon').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   599
            anoneid = cnx.user.eid
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   600
            self.assertEqual(cnx.execute('Any T,P ORDERBY lower(T) WHERE B is Bookmark,B title T,B path P,'
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   601
                                         'B bookmarked_by U, U eid %s' % anoneid).rows,
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   602
                              [['index', '?vid=index']])
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   603
            self.assertEqual(cnx.execute('Any T,P ORDERBY lower(T) WHERE B is Bookmark,B title T,B path P,'
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   604
                                         'B bookmarked_by U, U eid %(x)s', {'x': anoneid}).rows,
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   605
                              [['index', '?vid=index']])
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   606
            # can read others bookmarks as well
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   607
            self.assertEqual(cnx.execute('Any B where B is Bookmark, NOT B bookmarked_by U').rows,
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   608
                              [[beid1]])
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   609
            self.assertRaises(Unauthorized, cnx.execute,'DELETE B bookmarked_by U')
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   610
            self.assertRaises(Unauthorized,
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   611
                              cnx.execute, 'SET B bookmarked_by U WHERE U eid %(x)s, B eid %(b)s',
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   612
                              {'x': anoneid, 'b': beid1})
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   613
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   614
    def test_ambigous_ordered(self):
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   615
        with self.new_access(u'anon').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   616
            names = [t for t, in cnx.execute('Any N ORDERBY lower(N) WHERE X name N')]
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   617
            self.assertEqual(names, sorted(names, key=lambda x: x.lower()))
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   618
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   619
    def test_in_state_without_update_perm(self):
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   620
        """check a user change in_state without having update permission on the
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   621
        subject
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   622
        """
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   623
        with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   624
            eid = cnx.execute('INSERT Affaire X: X ref "ARCT01"')[0][0]
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   625
            cnx.commit()
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   626
        with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   627
            # needed to remove rql expr granting update perm to the user
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   628
            affschema = self.schema['Affaire']
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   629
            with self.temporary_permissions(Affaire={'update': affschema.get_groups('update'),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   630
                                                     'read': ('users',)}):
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   631
                self.assertRaises(Unauthorized,
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   632
                                  affschema.check_perm, cnx, 'update', eid=eid)
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   633
                aff = cnx.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0)
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   634
                aff.cw_adapt_to('IWorkflowable').fire_transition('abort')
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   635
                cnx.commit()
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   636
                # though changing a user state (even logged user) is reserved to managers
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   637
                user = cnx.user
8461
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   638
                # XXX wether it should raise Unauthorized or ValidationError is not clear
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   639
                # the best would probably ValidationError if the transition doesn't exist
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   640
                # from the current state but Unauthorized if it exists but user can't pass it
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   641
                self.assertRaises(ValidationError,
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8452
diff changeset
   642
                                  user.cw_adapt_to('IWorkflowable').fire_transition, 'deactivate')
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 1398
diff changeset
   643
2501
fa86d99c2c3a test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2500
diff changeset
   644
    def test_trinfo_security(self):
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   645
        with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   646
            aff = cnx.execute('INSERT Affaire X: X ref "ARCT01"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   647
            iworkflowable = aff.cw_adapt_to('IWorkflowable')
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   648
            cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   649
            iworkflowable.fire_transition('abort')
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   650
            cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   651
            # can change tr info comment
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   652
            cnx.execute('SET TI comment %(c)s WHERE TI wf_info_for X, X ref "ARCT01"',
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   653
                         {'c': u'bouh!'})
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   654
            cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   655
            aff.cw_clear_relation_cache('wf_info_for', 'object')
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   656
            trinfo = iworkflowable.latest_trinfo()
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   657
            self.assertEqual(trinfo.comment, 'bouh!')
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   658
            # but not from_state/to_state
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   659
            aff.cw_clear_relation_cache('wf_info_for', role='object')
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   660
            self.assertRaises(Unauthorized, cnx.execute,
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   661
                              'SET TI from_state S WHERE TI eid %(ti)s, S name "ben non"',
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   662
                              {'ti': trinfo.eid})
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   663
            self.assertRaises(Unauthorized, cnx.execute,
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   664
                              'SET TI to_state S WHERE TI eid %(ti)s, S name "pitetre"',
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   665
                              {'ti': trinfo.eid})
2501
fa86d99c2c3a test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2500
diff changeset
   666
8161
6f4229eb8178 [test] fix test broken by 8158:2ee254e74382 and add a test for that change
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8075
diff changeset
   667
    def test_emailaddress_security(self):
8649
8fbb2f65721e [test] precheck initial condition
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents: 8546
diff changeset
   668
        # check for prexisting email adresse
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   669
        with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   670
            if cnx.execute('Any X WHERE X is EmailAddress'):
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   671
                rset = cnx.execute('Any X, U WHERE X is EmailAddress, U use_email X')
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   672
                msg = ['Preexisting email readable by anon found!']
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   673
                tmpl = '  - "%s" used by user "%s"'
10609
e2d8e81bfe68 [py3k] import range using six.moves
Rémi Cardona <remi.cardona@logilab.fr>
parents: 10600
diff changeset
   674
                for i in range(len(rset)):
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   675
                    email, user = rset.get_entity(i, 0), rset.get_entity(i, 1)
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   676
                    msg.append(tmpl % (email.dc_title(), user.dc_title()))
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   677
                raise RuntimeError('\n'.join(msg))
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   678
            # actual test
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   679
            cnx.execute('INSERT EmailAddress X: X address "hop"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   680
            cnx.execute('INSERT EmailAddress X: X address "anon", '
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   681
                         'U use_email X WHERE U login "anon"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   682
            cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   683
            self.assertEqual(len(cnx.execute('Any X WHERE X is EmailAddress')), 2)
10248
131275d6c268 [server/test] use unicode strings for user logins
Julien Cristau <julien.cristau@logilab.fr>
parents: 10161
diff changeset
   684
        with self.new_access(u'anon').repo_cnx() as cnx:
9782
95e8fa2c8da8 [tests/security] use the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9777
diff changeset
   685
            self.assertEqual(len(cnx.execute('Any X WHERE X is EmailAddress')), 1)
8161
6f4229eb8178 [test] fix test broken by 8158:2ee254e74382 and add a test for that change
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8075
diff changeset
   686
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   687
if __name__ == '__main__':
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   688
    unittest_main()