cubicweb: server/test/unittest_security.py@b261d90149d0 (annotated)

9981 7099bbd685aa [hooks/security] allow edition of attributes with permissive permissions Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	1	# copyright 2003-2014 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
5421 8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	2	# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	3	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	4	# This file is part of CubicWeb.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	5	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	6	# CubicWeb is free software: you can redistribute it and/or modify it under the
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	7	# terms of the GNU Lesser General Public License as published by the Free
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	8	# Software Foundation, either version 2.1 of the License, or (at your option)
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	9	# any later version.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	10	#
5424 8ecbcbff9777 replace logilab-common by CubicWeb in disclaimer Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5421 diff changeset	11	# CubicWeb is distributed in the hope that it will be useful, but WITHOUT
5421 8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	12	# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	13	# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	14	# details.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	15	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	16	# You should have received a copy of the GNU Lesser General Public License along
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	17	# with CubicWeb. If not, see <http://www.gnu.org/licenses/>.
5886 00a78298d30d cleanups Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5426 diff changeset	18	"""functional tests for server'security"""
00a78298d30d cleanups Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5426 diff changeset	19
10609 e2d8e81bfe68 [py3k] import range using six.moves Rémi Cardona <remi.cardona@logilab.fr> parents: 10600 diff changeset	20	from six.moves import range
e2d8e81bfe68 [py3k] import range using six.moves Rémi Cardona <remi.cardona@logilab.fr> parents: 10600 diff changeset	21
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	22	from logilab.common.testlib import unittest_main
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	23
2773 b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	24	from cubicweb.devtools.testlib import CubicWebTC
8546 3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login Julien Cristau <julien.cristau@logilab.fr> parents: 8488 diff changeset	25	from cubicweb import Unauthorized, ValidationError, QueryError, Binary
8452 1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	26	from cubicweb.schema import ERQLExpression
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	27	from cubicweb.server.querier import get_local_checks, check_relations_read_access
8546 3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login Julien Cristau <julien.cristau@logilab.fr> parents: 8488 diff changeset	28	from cubicweb.server.utils import _CRYPTO_CTX
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	29
8452 1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	30
2773 b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	31	class BaseSecurityTC(CubicWebTC):
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	32
7072 bcf96f2a4c5d [test] properly close connections Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6410 diff changeset	33	def setup_database(self):
bcf96f2a4c5d [test] properly close connections Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6410 diff changeset	34	super(BaseSecurityTC, self).setup_database()
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	35	with self.admin_access.client_cnx() as cnx:
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	36	self.create_user(cnx, u'iaminusersgrouponly')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	37	hash = _CRYPTO_CTX.encrypt('oldpassword', scheme='des_crypt')
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	38	self.create_user(cnx, u'oldpassword', password=Binary(hash))
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	39
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	40	class LowLevelSecurityFunctionTC(BaseSecurityTC):
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	41
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	42	def test_check_relation_read_access(self):
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	43	rql = u'Personne U WHERE U nom "managers"'
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	44	rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0]
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	45	nom = self.repo.schema['Personne'].rdef('nom')
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	46	with self.temporary_permissions((nom, {'read': ('users', 'managers')})):
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	47	with self.admin_access.repo_cnx() as cnx:
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	48	self.repo.vreg.solutions(cnx, rqlst, None)
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	49	check_relations_read_access(cnx, rqlst, {})
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	50	with self.new_access(u'anon').repo_cnx() as cnx:
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	51	self.assertRaises(Unauthorized,
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	52	check_relations_read_access,
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	53	cnx, rqlst, {})
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	54	self.assertRaises(Unauthorized, cnx.execute, rql)
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	55
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	56	def test_get_local_checks(self):
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	57	rql = u'Personne U WHERE U nom "managers"'
3252 c0e10da6f1cf tests update Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 diff changeset	58	rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0]
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	59	with self.temporary_permissions(Personne={'read': ('users', 'managers')}):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	60	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	61	self.repo.vreg.solutions(cnx, rqlst, None)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	62	solution = rqlst.solutions[0]
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	63	localchecks = get_local_checks(cnx, rqlst, solution)
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	64	self.assertEqual({}, localchecks)
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	65	with self.new_access(u'anon').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	66	self.assertRaises(Unauthorized,
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	67	get_local_checks,
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	68	cnx, rqlst, solution)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	69	self.assertRaises(Unauthorized, cnx.execute, rql)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	70
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	71	def test_upassword_not_selectable(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	72	with self.admin_access.repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	73	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	74	cnx.execute, 'Any X,P WHERE X is CWUser, X upassword P')
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	75	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	76	self.assertRaises(Unauthorized,
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	77	cnx.execute, 'Any X,P WHERE X is CWUser, X upassword P')
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	78
8546 3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login Julien Cristau <julien.cristau@logilab.fr> parents: 8488 diff changeset	79	def test_update_password(self):
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	80	"""Ensure that if a user's password is stored with a deprecated hash,
b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	81	it will be updated on next login
b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	82	"""
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	83	with self.repo.internal_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	84	oldhash = str(cnx.system_sql("SELECT cw_upassword FROM cw_CWUser "
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	85	"WHERE cw_login = 'oldpassword'").fetchone()[0])
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	86	self.repo.close(self.repo.connect('oldpassword', password='oldpassword'))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	87	newhash = str(cnx.system_sql("SELECT cw_upassword FROM cw_CWUser "
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	88	"WHERE cw_login = 'oldpassword'").fetchone()[0])
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	89	self.assertNotEqual(oldhash, newhash)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	90	self.assertTrue(newhash.startswith('$6$'))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	91	self.repo.close(self.repo.connect('oldpassword', password='oldpassword'))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	92	self.assertEqual(newhash,
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	93	str(cnx.system_sql("SELECT cw_upassword FROM cw_CWUser WHERE "
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	94	"cw_login = 'oldpassword'").fetchone()[0]))
8546 3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login Julien Cristau <julien.cristau@logilab.fr> parents: 8488 diff changeset	95
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	96
5888 3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	97	class SecurityRewritingTC(BaseSecurityTC):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	98	def hijack_source_execute(self):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	99	def syntax_tree_search(args, *kwargs):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	100	self.query = (args, kwargs)
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	101	return []
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	102	self.repo.system_source.syntax_tree_search = syntax_tree_search
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	103
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	104	def tearDown(self):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	105	self.repo.system_source.__dict__.pop('syntax_tree_search', None)
7072 bcf96f2a4c5d [test] properly close connections Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6410 diff changeset	106	super(SecurityRewritingTC, self).tearDown()
5888 3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	107
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	108	def test_not_relation_read_security(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	109	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	110	self.hijack_source_execute()
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	111	cnx.execute('Any U WHERE NOT A todo_by U, A is Affaire')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	112	self.assertEqual(self.query[0][1].as_string(),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	113	'Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	114	cnx.execute('Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	115	self.assertEqual(self.query[0][1].as_string(),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	116	'Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')
5888 3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	117
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	118	class SecurityTC(BaseSecurityTC):
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	119
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	120	def setUp(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	121	super(SecurityTC, self).setUp()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	122	# implicitly test manager can add some entities
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	123	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	124	cnx.execute("INSERT Affaire X: X sujet 'cool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	125	cnx.execute("INSERT Societe X: X nom 'logilab'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	126	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	127	cnx.execute('INSERT CWGroup X: X name "staff"')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	128	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	129
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	130	def test_insert_security(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	131	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	132	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	133	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	134	self.assertEqual(cnx.execute('Personne X').rowcount, 1)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	135
10153 85cbf16fbb57 [security] Test case and fix for an INSERT security hole Julien Cristau <julien.cristau@logilab.fr> parents: 9981 diff changeset	136	def test_insert_security_2(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	137	with self.new_access(u'anon').repo_cnx() as cnx:
10158 efc8645ece43 [server/test] convert new test to 3.19 API Julien Cristau <julien.cristau@logilab.fr> parents: 10156 diff changeset	138	cnx.execute("INSERT Affaire X")
efc8645ece43 [server/test] convert new test to 3.19 API Julien Cristau <julien.cristau@logilab.fr> parents: 10156 diff changeset	139	self.assertRaises(Unauthorized, cnx.commit)
10153 85cbf16fbb57 [security] Test case and fix for an INSERT security hole Julien Cristau <julien.cristau@logilab.fr> parents: 9981 diff changeset	140	# anon has no read permission on Affaire entities, so
85cbf16fbb57 [security] Test case and fix for an INSERT security hole Julien Cristau <julien.cristau@logilab.fr> parents: 9981 diff changeset	141	# rowcount == 0
10158 efc8645ece43 [server/test] convert new test to 3.19 API Julien Cristau <julien.cristau@logilab.fr> parents: 10156 diff changeset	142	self.assertEqual(cnx.execute('Affaire X').rowcount, 0)
10153 85cbf16fbb57 [security] Test case and fix for an INSERT security hole Julien Cristau <julien.cristau@logilab.fr> parents: 9981 diff changeset	143
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	144	def test_insert_rql_permission(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	145	# test user can only add une affaire related to a societe he owns
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	146	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	147	cnx.execute("INSERT Affaire X: X sujet 'cool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	148	self.assertRaises(Unauthorized, cnx.commit)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	149	# test nothing has actually been inserted
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	150	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	151	self.assertEqual(cnx.execute('Affaire X').rowcount, 1)
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	152	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	153	cnx.execute("INSERT Affaire X: X sujet 'cool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	154	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	155	cnx.execute("SET A concerne S WHERE A sujet 'cool', S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	156	cnx.commit()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	157
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	158	def test_update_security_1(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	159	with self.new_access(u'anon').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	160	# local security check
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	161	cnx.execute( "SET X nom 'bidulechouette' WHERE X is Personne")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	162	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	163	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	164	self.assertEqual(cnx.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	165
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	166	def test_update_security_2(self):
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	167	with self.temporary_permissions(Personne={'read': ('users', 'managers'),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	168	'add': ('guests', 'users', 'managers')}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	169	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	170	self.assertRaises(Unauthorized, cnx.execute,
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	171	"SET X nom 'bidulechouette' WHERE X is Personne")
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	172	# test nothing has actually been inserted
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	173	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	174	self.assertEqual(cnx.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	175
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	176	def test_update_security_3(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	177	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	178	cnx.execute("INSERT Personne X: X nom 'biduuule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	179	cnx.execute("INSERT Societe X: X nom 'looogilab'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	180	cnx.execute("SET X travaille S WHERE X nom 'biduuule', S nom 'looogilab'")
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	181
10114 6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	182	def test_insert_immutable_attribute_update(self):
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	183	with self.admin_access.repo_cnx() as cnx:
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	184	cnx.create_entity('Old', name=u'Babar')
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	185	cnx.commit()
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	186	# this should be equivalent
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	187	o = cnx.create_entity('Old')
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	188	o.cw_set(name=u'Celeste')
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	189	cnx.commit()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	190
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	191	def test_update_rql_permission(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	192	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	193	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	194	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	195	# test user can only update une affaire related to a societe he owns
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	196	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	197	cnx.execute("SET X sujet 'pascool' WHERE X is Affaire")
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	198	# this won't actually do anything since the selection query won't return anything
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	199	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	200	# to actually get Unauthorized exception, try to update an entity we can read
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	201	cnx.execute("SET X nom 'toto' WHERE X is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	202	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	203	cnx.execute("INSERT Affaire X: X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	204	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	205	cnx.execute("SET A concerne S WHERE A sujet 'pascool', S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	206	cnx.execute("SET X sujet 'habahsicestcool' WHERE X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	207	cnx.commit()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	208
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	209	def test_delete_security(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	210	# FIXME: sample below fails because we don't detect "owner" can't delete
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	211	# user anyway, and since no user with login == 'bidule' exists, no
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	212	# exception is raised
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	213	#user._groups = {'guests':1}
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	214	#self.assertRaises(Unauthorized,
1398 5fe84a5f7035 rename internal entity types to have CW prefix instead of E sylvain.thenault@logilab.fr parents: 389 diff changeset	215	# self.o.execute, user, "DELETE CWUser X WHERE X login 'bidule'")
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	216	# check local security
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	217	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	218	self.assertRaises(Unauthorized, cnx.execute, "DELETE CWGroup Y WHERE Y name 'staff'")
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	219
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	220	def test_delete_rql_permission(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	221	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	222	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	223	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	224	# test user can only dele une affaire related to a societe he owns
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	225	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	226	# this won't actually do anything since the selection query won't return anything
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	227	cnx.execute("DELETE Affaire X")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	228	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	229	# to actually get Unauthorized exception, try to delete an entity we can read
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	230	self.assertRaises(Unauthorized, cnx.execute, "DELETE Societe S")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	231	self.assertRaises(QueryError, cnx.commit) # can't commit anymore
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	232	cnx.rollback()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	233	cnx.execute("INSERT Affaire X: X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	234	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	235	cnx.execute("SET A concerne S WHERE A sujet 'pascool', S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	236	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	237	## # this one should fail since it will try to delete two affaires, one authorized
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	238	## # and the other not
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	239	## self.assertRaises(Unauthorized, cnx.execute, "DELETE Affaire X")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	240	cnx.execute("DELETE Affaire X WHERE X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	241	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	242
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	243	def test_insert_relation_rql_permission(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	244	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	245	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	246	# should raise Unauthorized since user don't own S though this won't
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	247	# actually do anything since the selection query won't return
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	248	# anything
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	249	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	250	# to actually get Unauthorized exception, try to insert a relation
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	251	# were we can read both entities
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	252	rset = cnx.execute('Personne P')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	253	self.assertEqual(len(rset), 1)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	254	ent = rset.get_entity(0, 0)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	255	self.assertFalse(cnx.execute('Any P,S WHERE P travaille S,P is Personne, S is Societe'))
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	256	self.assertRaises(Unauthorized, ent.cw_check_perm, 'update')
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	257	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	258	cnx.execute, "SET P travaille S WHERE P is Personne, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	259	self.assertRaises(QueryError, cnx.commit) # can't commit anymore
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	260	cnx.rollback()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	261	# test nothing has actually been inserted:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	262	self.assertFalse(cnx.execute('Any P,S WHERE P travaille S,P is Personne, S is Societe'))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	263	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	264	cnx.execute("SET A concerne S WHERE A is Affaire, S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	265	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	266
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	267	def test_delete_relation_rql_permission(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	268	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	269	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	270	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	271	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	272	# this won't actually do anything since the selection query won't return anything
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	273	cnx.execute("DELETE A concerne S")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	274	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	275	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	276	# to actually get Unauthorized exception, try to delete a relation we can read
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	277	eid = cnx.execute("INSERT Affaire X: X sujet 'pascool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	278	cnx.execute('SET X owned_by U WHERE X eid %(x)s, U login "iaminusersgrouponly"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	279	{'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	280	cnx.execute("SET A concerne S WHERE A sujet 'pascool', S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	281	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	282	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	283	self.assertRaises(Unauthorized, cnx.execute, "DELETE A concerne S")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	284	self.assertRaises(QueryError, cnx.commit) # can't commit anymore
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	285	cnx.rollback()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	286	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	287	cnx.execute("SET A concerne S WHERE A is Affaire, S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	288	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	289	cnx.execute("DELETE A concerne S WHERE S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	290	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	291
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	292
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	293	def test_user_can_change_its_upassword(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	294	with self.admin_access.repo_cnx() as cnx:
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	295	ueid = self.create_user(cnx, u'user').eid
131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	296	with self.new_access(u'user').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	297	cnx.execute('SET X upassword %(passwd)s WHERE X eid %(x)s',
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	298	{'x': ueid, 'passwd': 'newpwd'})
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	299	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	300	self.repo.close(self.repo.connect('user', password='newpwd'))
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	301
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	302	def test_user_cant_change_other_upassword(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	303	with self.admin_access.repo_cnx() as cnx:
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	304	ueid = self.create_user(cnx, u'otheruser').eid
131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	305	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	306	cnx.execute('SET X upassword %(passwd)s WHERE X eid %(x)s',
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	307	{'x': ueid, 'passwd': 'newpwd'})
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	308	self.assertRaises(Unauthorized, cnx.commit)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	309
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	310	# read security test
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	311
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	312	def test_read_base(self):
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	313	with self.temporary_permissions(Personne={'read': ('users', 'managers')}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	314	with self.new_access(u'anon').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	315	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	316	cnx.execute, 'Personne U where U nom "managers"')
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	317
321 247947250382 fix security bug w/ query using 'NOT X eid 123' Sylvain Thenault <sylvain.thenault@logilab.fr> parents: 0 diff changeset	318	def test_read_erqlexpr_base(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	319	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	320	eid = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	321	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	322	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	323	rset = cnx.execute('Affaire X')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	324	self.assertEqual(rset.rows, [])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	325	self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x': eid})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	326	# cache test
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	327	self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	328	aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	329	soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	330	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	331	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	332	rset = cnx.execute('Any X WHERE X eid %(x)s', {'x': aff2})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	333	self.assertEqual(rset.rows, [[aff2]])
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	334	# more cache test w/ NOT eid
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	335	rset = cnx.execute('Affaire X WHERE NOT X eid %(x)s', {'x': eid})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	336	self.assertEqual(rset.rows, [[aff2]])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	337	rset = cnx.execute('Affaire X WHERE NOT X eid %(x)s', {'x': aff2})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	338	self.assertEqual(rset.rows, [])
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	339	# test can't update an attribute of an entity that can't be readen
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	340	self.assertRaises(Unauthorized, cnx.execute,
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	341	'SET X sujet "hacked" WHERE X eid %(x)s', {'x': eid})
4765 c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	342
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	343
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	344	def test_entity_created_in_transaction(self):
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	345	affschema = self.schema['Affaire']
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	346	with self.temporary_permissions(Affaire={'read': affschema.permissions['add']}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	347	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	348	aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	349	# entity created in transaction are readable by eid
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	350	self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':aff2}))
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	351	# XXX would be nice if it worked
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	352	rset = cnx.execute("Affaire X WHERE X sujet 'cool'")
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	353	self.assertEqual(len(rset), 0)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	354	self.assertRaises(Unauthorized, cnx.commit)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	355
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	356	def test_read_erqlexpr_has_text1(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	357	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	358	aff1 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	359	card1 = cnx.execute("INSERT Card X: X title 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	360	cnx.execute('SET X owned_by U WHERE X eid %(x)s, U login "iaminusersgrouponly"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	361	{'x': card1})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	362	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	363	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	364	aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	365	soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	366	cnx.execute("SET A concerne S WHERE A eid %(a)s, S eid %(s)s", {'a': aff2, 's': soc1})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	367	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	368	self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x':aff1})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	369	self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':aff2}))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	370	self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':card1}))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	371	rset = cnx.execute("Any X WHERE X has_text 'cool'")
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	372	self.assertEqual(sorted(eid for eid, in rset.rows),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	373	[card1, aff2])
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	374
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	375	def test_read_erqlexpr_has_text2(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	376	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	377	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	378	cnx.execute("INSERT Societe X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	379	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	380	with self.temporary_permissions(Personne={'read': ('managers',)}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	381	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	382	rset = cnx.execute('Any N WHERE N has_text "bidule"')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	383	self.assertEqual(len(rset.rows), 1, rset.rows)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	384	rset = cnx.execute('Any N WITH N BEING (Any N WHERE N has_text "bidule")')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	385	self.assertEqual(len(rset.rows), 1, rset.rows)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	386
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	387	def test_read_erqlexpr_optional_rel(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	388	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	389	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	390	cnx.execute("INSERT Societe X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	391	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	392	with self.temporary_permissions(Personne={'read': ('managers',)}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	393	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	394	rset = cnx.execute('Any N,U WHERE N has_text "bidule", N owned_by U?')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	395	self.assertEqual(len(rset.rows), 1, rset.rows)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	396
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	397	def test_read_erqlexpr_aggregat(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	398	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	399	cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	400	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	401	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	402	rset = cnx.execute('Any COUNT(X) WHERE X is Affaire')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	403	self.assertEqual(rset.rows, [[0]])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	404	aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	405	soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	406	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	407	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	408	rset = cnx.execute('Any COUNT(X) WHERE X is Affaire')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	409	self.assertEqual(rset.rows, [[1]])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	410	rset = cnx.execute('Any ETN, COUNT(X) GROUPBY ETN WHERE X is ET, ET name ETN')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	411	values = dict(rset)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	412	self.assertEqual(values['Affaire'], 1)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	413	self.assertEqual(values['Societe'], 2)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	414	rset = cnx.execute('Any ETN, COUNT(X) GROUPBY ETN WHERE X is ET, ET name ETN '
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	415	'WITH X BEING ((Affaire X) UNION (Societe X))')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	416	self.assertEqual(len(rset), 2)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	417	values = dict(rset)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	418	self.assertEqual(values['Affaire'], 1)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	419	self.assertEqual(values['Societe'], 2)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	420
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	421
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	422	def test_attribute_security(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	423	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	424	# only managers should be able to edit the 'test' attribute of Personne entities
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	425	eid = cnx.execute("INSERT Personne X: X nom 'bidule', "
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	426	"X web 'http://www.debian.org', X test TRUE")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	427	cnx.execute('SET X test FALSE WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	428	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	429	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	430	cnx.execute("INSERT Personne X: X nom 'bidule', "
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	431	"X web 'http://www.debian.org', X test TRUE")
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	432	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	433	cnx.execute("INSERT Personne X: X nom 'bidule', "
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	434	"X web 'http://www.debian.org', X test FALSE")
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	435	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	436	eid = cnx.execute("INSERT Personne X: X nom 'bidule', "
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	437	"X web 'http://www.debian.org'")[0][0]
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	438	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	439	cnx.execute('SET X test FALSE WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	440	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	441	cnx.execute('SET X test TRUE WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	442	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	443	cnx.execute('SET X web "http://www.logilab.org" WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	444	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	445	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9984 793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	446	cnx.execute('INSERT Frozable F: F name "Foo"')
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	447	cnx.commit()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	448	cnx.execute('SET F name "Bar" WHERE F is Frozable')
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	449	cnx.commit()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	450	cnx.execute('SET F name "BaBar" WHERE F is Frozable')
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	451	cnx.execute('SET F frozen True WHERE F is Frozable')
9981 7099bbd685aa [hooks/security] allow edition of attributes with permissive permissions Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	452	with self.assertRaises(Unauthorized):
9984 793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	453	cnx.commit()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	454	cnx.rollback()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	455	cnx.execute('SET F frozen True WHERE F is Frozable')
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	456	cnx.commit()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	457	cnx.execute('SET F name "Bar" WHERE F is Frozable')
9981 7099bbd685aa [hooks/security] allow edition of attributes with permissive permissions Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	458	with self.assertRaises(Unauthorized):
9984 793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	459	cnx.commit()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	460
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	461	def test_attribute_security_rqlexpr(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	462	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	463	# Note.para attribute editable by managers or if the note is in "todo" state
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	464	note = cnx.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	465	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	466	note.cw_adapt_to('IWorkflowable').fire_transition('markasdone')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	467	cnx.execute('SET X para "truc" WHERE X eid %(x)s', {'x': note.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	468	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	469	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	470	cnx.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	471	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	472	note2 = cnx.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	473	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	474	note2.cw_adapt_to('IWorkflowable').fire_transition('markasdone')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	475	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	476	self.assertEqual(len(cnx.execute('Any X WHERE X in_state S, S name "todo", X eid %(x)s',
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	477	{'x': note2.eid})),
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	478	0)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	479	cnx.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	480	self.assertRaises(Unauthorized, cnx.commit)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	481	note2.cw_adapt_to('IWorkflowable').fire_transition('redoit')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	482	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	483	cnx.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	484	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	485	cnx.execute("INSERT Note X: X something 'A'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	486	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	487	cnx.execute("INSERT Note X: X para 'zogzog', X something 'A'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	488	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	489	note = cnx.execute("INSERT Note X").get_entity(0,0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	490	cnx.commit()
9395 96dba2efd16d [hooks/security] provide attribute "add" permission Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 8694 diff changeset	491	note.cw_set(something=u'B')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	492	cnx.commit()
9395 96dba2efd16d [hooks/security] provide attribute "add" permission Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 8694 diff changeset	493	note.cw_set(something=None, para=u'zogzog')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	494	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	495
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	496	def test_attribute_read_security(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	497	# anon not allowed to see users'login, but they can see users
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	498	login_rdef = self.repo.schema['CWUser'].rdef('login')
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	499	with self.temporary_permissions((login_rdef, {'read': ('users', 'managers')}),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	500	CWUser={'read': ('guests', 'users', 'managers')}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	501	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	502	rset = cnx.execute('CWUser X')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	503	self.assertTrue(rset)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	504	x = rset.get_entity(0, 0)
10463 9add9b7f9df7 [server/test] fix random error in unittest_security Julien Cristau <julien.cristau@logilab.fr> parents: 10249 diff changeset	505	x.complete()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	506	self.assertEqual(x.login, None)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	507	self.assertTrue(x.creation_date)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	508	x = rset.get_entity(1, 0)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	509	x.complete()
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	510	self.assertEqual(x.login, None)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	511	self.assertTrue(x.creation_date)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	512
8452 1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	513	def test_yams_inheritance_and_security_bug(self):
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	514	with self.temporary_permissions(Division={'read': ('managers',
b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	515	ERQLExpression('X owned_by U'))}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	516	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	517	querier = cnx.repo.querier
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	518	rqlst = querier.parse('Any X WHERE X is_instance_of Societe')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	519	querier.solutions(cnx, rqlst, {})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	520	querier._annotate(rqlst)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	521	plan = querier.plan_factory(rqlst, {}, cnx)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	522	plan.preprocess(rqlst)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	523	self.assertEqual(
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	524	rqlst.as_string(),
10249 e38b8d37c5d8 [rqlrewrite] sort possible types when turning is_instance_of into is Julien Cristau <julien.cristau@logilab.fr> parents: 10248 diff changeset	525	'(Any X WHERE X is IN(Societe, SubDivision)) UNION '
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	526	'(Any X WHERE X is Division, EXISTS(X owned_by %(B)s))')
8452 1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	527
1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	528
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	529	class BaseSchemaSecurityTC(BaseSecurityTC):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	530	"""tests related to the base schema permission configuration"""
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	531
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	532	def test_user_can_delete_object_he_created(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	533	# even if some other user have changed object'state
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	534	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	535	# due to security test, affaire has to concerne a societe the user owns
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	536	cnx.execute('INSERT Societe X: X nom "ARCTIA"')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	537	cnx.execute('INSERT Affaire X: X ref "ARCT01", X concerne S WHERE S nom "ARCTIA"')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	538	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	539	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	540	affaire = cnx.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	541	affaire.cw_adapt_to('IWorkflowable').fire_transition('abort')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	542	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	543	self.assertEqual(len(cnx.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01"')),
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	544	1)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	545	self.assertEqual(len(cnx.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01",'
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	546	'X owned_by U, U login "admin"')),
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	547	1) # TrInfo at the above state change
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	548	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	549	cnx.execute('DELETE Affaire X WHERE X ref "ARCT01"')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	550	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	551	self.assertFalse(cnx.execute('Affaire X'))
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	552
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	553	def test_users_and_groups_non_readable_by_guests(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	554	with self.repo.internal_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	555	admineid = cnx.execute('CWUser U WHERE U login "admin"').rows[0][0]
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	556	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	557	anon = cnx.user
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	558	# anonymous user can only read itself
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	559	rset = cnx.execute('Any L WHERE X owned_by U, U login L')
8624 7e415f457155 [test] swap order in assert of `test_users_and_groups_non_readable_by_guests` Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 8546 diff changeset	560	self.assertEqual([['anon']], rset.rows)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	561	rset = cnx.execute('CWUser X')
8624 7e415f457155 [test] swap order in assert of `test_users_and_groups_non_readable_by_guests` Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 8546 diff changeset	562	self.assertEqual([[anon.eid]], rset.rows)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	563	# anonymous user can read groups (necessary to check allowed transitions for instance)
10600 180aa08cad48 [tests] Replace use of deprecated TestCase.assert_ Rémi Cardona <remi.cardona@logilab.fr> parents: 10463 diff changeset	564	self.assertTrue(cnx.execute('CWGroup X'))
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	565	# should only be able to read the anonymous user, not another one
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	566	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	567	cnx.execute, 'CWUser X WHERE X eid %(x)s', {'x': admineid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	568	rset = cnx.execute('CWUser X WHERE X eid %(x)s', {'x': anon.eid})
8624 7e415f457155 [test] swap order in assert of `test_users_and_groups_non_readable_by_guests` Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 8546 diff changeset	569	self.assertEqual([[anon.eid]], rset.rows)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	570	# but can't modify it
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	571	cnx.execute('SET X login "toto" WHERE X eid %(x)s', {'x': anon.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	572	self.assertRaises(Unauthorized, cnx.commit)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	573
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	574	def test_in_group_relation(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	575	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	576	rql = u"DELETE U in_group G WHERE U login 'admin'"
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	577	self.assertRaises(Unauthorized, cnx.execute, rql)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	578	rql = u"SET U in_group G WHERE U login 'admin', G name 'users'"
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	579	self.assertRaises(Unauthorized, cnx.execute, rql)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	580
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	581	def test_owned_by(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	582	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	583	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	584	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	585	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	586	rql = u"SET X owned_by U WHERE U login 'iaminusersgrouponly', X is Personne"
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	587	self.assertRaises(Unauthorized, cnx.execute, rql)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	588
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	589	def test_bookmarked_by_guests_security(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	590	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	591	beid1 = cnx.execute('INSERT Bookmark B: B path "?vid=manage", B title "manage"')[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	592	beid2 = cnx.execute('INSERT Bookmark B: B path "?vid=index", B title "index", '
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	593	'B bookmarked_by U WHERE U login "anon"')[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	594	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	595	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	596	anoneid = cnx.user.eid
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	597	self.assertEqual(cnx.execute('Any T,P ORDERBY lower(T) WHERE B is Bookmark,B title T,B path P,'
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	598	'B bookmarked_by U, U eid %s' % anoneid).rows,
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	599	[['index', '?vid=index']])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	600	self.assertEqual(cnx.execute('Any T,P ORDERBY lower(T) WHERE B is Bookmark,B title T,B path P,'
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	601	'B bookmarked_by U, U eid %(x)s', {'x': anoneid}).rows,
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	602	[['index', '?vid=index']])
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	603	# can read others bookmarks as well
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	604	self.assertEqual(cnx.execute('Any B where B is Bookmark, NOT B bookmarked_by U').rows,
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	605	[[beid1]])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	606	self.assertRaises(Unauthorized, cnx.execute,'DELETE B bookmarked_by U')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	607	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	608	cnx.execute, 'SET B bookmarked_by U WHERE U eid %(x)s, B eid %(b)s',
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	609	{'x': anoneid, 'b': beid1})
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	610
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	611	def test_ambigous_ordered(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	612	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	613	names = [t for t, in cnx.execute('Any N ORDERBY lower(N) WHERE X name N')]
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	614	self.assertEqual(names, sorted(names, key=lambda x: x.lower()))
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	615
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	616	def test_in_state_without_update_perm(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	617	"""check a user change in_state without having update permission on the
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	618	subject
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	619	"""
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	620	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	621	eid = cnx.execute('INSERT Affaire X: X ref "ARCT01"')[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	622	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	623	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	624	# needed to remove rql expr granting update perm to the user
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	625	affschema = self.schema['Affaire']
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	626	with self.temporary_permissions(Affaire={'update': affschema.get_groups('update'),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	627	'read': ('users',)}):
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	628	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	629	affschema.check_perm, cnx, 'update', eid=eid)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	630	aff = cnx.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	631	aff.cw_adapt_to('IWorkflowable').fire_transition('abort')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	632	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	633	# though changing a user state (even logged user) is reserved to managers
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	634	user = cnx.user
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	635	# XXX wether it should raise Unauthorized or ValidationError is not clear
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	636	# the best would probably ValidationError if the transition doesn't exist
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	637	# from the current state but Unauthorized if it exists but user can't pass it
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	638	self.assertRaises(ValidationError,
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	639	user.cw_adapt_to('IWorkflowable').fire_transition, 'deactivate')
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	640
2501 fa86d99c2c3a test and fix wf history security Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2500 diff changeset	641	def test_trinfo_security(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	642	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	643	aff = cnx.execute('INSERT Affaire X: X ref "ARCT01"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	644	iworkflowable = aff.cw_adapt_to('IWorkflowable')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	645	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	646	iworkflowable.fire_transition('abort')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	647	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	648	# can change tr info comment
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	649	cnx.execute('SET TI comment %(c)s WHERE TI wf_info_for X, X ref "ARCT01"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	650	{'c': u'bouh!'})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	651	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	652	aff.cw_clear_relation_cache('wf_info_for', 'object')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	653	trinfo = iworkflowable.latest_trinfo()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	654	self.assertEqual(trinfo.comment, 'bouh!')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	655	# but not from_state/to_state
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	656	aff.cw_clear_relation_cache('wf_info_for', role='object')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	657	self.assertRaises(Unauthorized, cnx.execute,
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	658	'SET TI from_state S WHERE TI eid %(ti)s, S name "ben non"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	659	{'ti': trinfo.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	660	self.assertRaises(Unauthorized, cnx.execute,
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	661	'SET TI to_state S WHERE TI eid %(ti)s, S name "pitetre"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	662	{'ti': trinfo.eid})
2501 fa86d99c2c3a test and fix wf history security Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2500 diff changeset	663
8161 6f4229eb8178 [test] fix test broken by 8158:2ee254e74382 and add a test for that change Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8075 diff changeset	664	def test_emailaddress_security(self):
8649 8fbb2f65721e [test] precheck initial condition Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 8546 diff changeset	665	# check for prexisting email adresse
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	666	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	667	if cnx.execute('Any X WHERE X is EmailAddress'):
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	668	rset = cnx.execute('Any X, U WHERE X is EmailAddress, U use_email X')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	669	msg = ['Preexisting email readable by anon found!']
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	670	tmpl = ' - "%s" used by user "%s"'
10609 e2d8e81bfe68 [py3k] import range using six.moves Rémi Cardona <remi.cardona@logilab.fr> parents: 10600 diff changeset	671	for i in range(len(rset)):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	672	email, user = rset.get_entity(i, 0), rset.get_entity(i, 1)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	673	msg.append(tmpl % (email.dc_title(), user.dc_title()))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	674	raise RuntimeError('\n'.join(msg))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	675	# actual test
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	676	cnx.execute('INSERT EmailAddress X: X address "hop"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	677	cnx.execute('INSERT EmailAddress X: X address "anon", '
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	678	'U use_email X WHERE U login "anon"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	679	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	680	self.assertEqual(len(cnx.execute('Any X WHERE X is EmailAddress')), 2)
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	681	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	682	self.assertEqual(len(cnx.execute('Any X WHERE X is EmailAddress')), 1)
8161 6f4229eb8178 [test] fix test broken by 8158:2ee254e74382 and add a test for that change Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8075 diff changeset	683
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	684	if __name__ == '__main__':
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	685	unittest_main()

author	Rémi Cardona <remi.cardona@logilab.fr>
	Fri, 18 Sep 2015 11:54:12 +0200
changeset 10706	b261d90149d0
parent 10609	e2d8e81bfe68
child 10769	c45f4bcff3aa
permissions	-rw-r--r--