cubicweb: server/test/unittest_security.py@ddc1b4d80dbd (annotated)

5421 8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	1	# copyright 2003-2010 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	2	# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	3	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	4	# This file is part of CubicWeb.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	5	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	6	# CubicWeb is free software: you can redistribute it and/or modify it under the
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	7	# terms of the GNU Lesser General Public License as published by the Free
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	8	# Software Foundation, either version 2.1 of the License, or (at your option)
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	9	# any later version.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	10	#
5424 8ecbcbff9777 replace logilab-common by CubicWeb in disclaimer Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5421 diff changeset	11	# CubicWeb is distributed in the hope that it will be useful, but WITHOUT
5421 8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	12	# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	13	# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	14	# details.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	15	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	16	# You should have received a copy of the GNU Lesser General Public License along
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	17	# with CubicWeb. If not, see <http://www.gnu.org/licenses/>.
5886 00a78298d30d cleanups Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5426 diff changeset	18	"""functional tests for server'security"""
00a78298d30d cleanups Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5426 diff changeset	19
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	20	import sys
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	21
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	22	from logilab.common.testlib import unittest_main, TestCase
2773 b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	23	from cubicweb.devtools.testlib import CubicWebTC
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	24
6410 2e7a7b0829ed [test] fix tests broken by transaction behaviour on Unauthorized/ValidationError (no rollback but connection marked as non-commitable) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6340 diff changeset	25	from cubicweb import Unauthorized, ValidationError, QueryError
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	26	from cubicweb.server.querier import check_read_access
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	27
2773 b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	28	class BaseSecurityTC(CubicWebTC):
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	29
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	30	def setUp(self):
2773 b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	31	CubicWebTC.setUp(self)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	32	self.create_user('iaminusersgrouponly')
3877 7ca53fc72a0a reldefsecurity branch : Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3252 diff changeset	33	self.readoriggroups = self.schema['Personne'].permissions['read']
7ca53fc72a0a reldefsecurity branch : Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3252 diff changeset	34	self.addoriggroups = self.schema['Personne'].permissions['add']
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	35
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	36	def tearDown(self):
2773 b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	37	CubicWebTC.tearDown(self)
3877 7ca53fc72a0a reldefsecurity branch : Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3252 diff changeset	38	self.schema['Personne'].set_action_permissions('read', self.readoriggroups)
7ca53fc72a0a reldefsecurity branch : Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3252 diff changeset	39	self.schema['Personne'].set_action_permissions('add', self.addoriggroups)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	40
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	41
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	42	class LowLevelSecurityFunctionTC(BaseSecurityTC):
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	43
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	44	def test_check_read_access(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	45	rql = u'Personne U where U nom "managers"'
3252 c0e10da6f1cf tests update Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 diff changeset	46	rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0]
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	47	origgroups = self.schema['Personne'].get_groups('read')
3877 7ca53fc72a0a reldefsecurity branch : Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3252 diff changeset	48	self.schema['Personne'].set_action_permissions('read', ('users', 'managers'))
4711 7ef3b029e10b [test] we should properly use vreg method to compute solutions Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4691 diff changeset	49	self.repo.vreg.solutions(self.session, rqlst, None)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	50	solution = rqlst.solutions[0]
5419 0b7805928a27 [repo security] deal with rewriten constant nodes in check_read_access, necessary when repo is used as an external source Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	51	check_read_access(self.session, rqlst, solution, {})
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	52	cnx = self.login('anon')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	53	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	54	self.assertRaises(Unauthorized,
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	55	check_read_access,
5419 0b7805928a27 [repo security] deal with rewriten constant nodes in check_read_access, necessary when repo is used as an external source Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	56	self.session, rqlst, solution, {})
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	57	self.assertRaises(Unauthorized, cu.execute, rql)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	58
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	59	def test_upassword_not_selectable(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	60	self.assertRaises(Unauthorized,
1398 5fe84a5f7035 rename internal entity types to have CW prefix instead of E sylvain.thenault@logilab.fr parents: 389 diff changeset	61	self.execute, 'Any X,P WHERE X is CWUser, X upassword P')
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	62	self.rollback()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	63	cnx = self.login('iaminusersgrouponly')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	64	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	65	self.assertRaises(Unauthorized,
1398 5fe84a5f7035 rename internal entity types to have CW prefix instead of E sylvain.thenault@logilab.fr parents: 389 diff changeset	66	cu.execute, 'Any X,P WHERE X is CWUser, X upassword P')
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	67
d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	68
5888 3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	69	class SecurityRewritingTC(BaseSecurityTC):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	70	def hijack_source_execute(self):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	71	def syntax_tree_search(args, *kwargs):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	72	self.query = (args, kwargs)
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	73	return []
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	74	self.repo.system_source.syntax_tree_search = syntax_tree_search
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	75
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	76	def tearDown(self):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	77	self.repo.system_source.__dict__.pop('syntax_tree_search', None)
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	78	BaseSecurityTC.tearDown(self)
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	79
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	80	def test_not_relation_read_security(self):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	81	cnx = self.login('iaminusersgrouponly')
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	82	self.hijack_source_execute()
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	83	self.execute('Any U WHERE NOT A todo_by U, A is Affaire')
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	84	self.assertEqual(self.query[0][1].as_string(),
5888 3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	85	'Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	86	self.execute('Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	87	self.assertEqual(self.query[0][1].as_string(),
5888 3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	88	'Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	89
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	90	class SecurityTC(BaseSecurityTC):
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	91
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	92	def setUp(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	93	BaseSecurityTC.setUp(self)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	94	# implicitly test manager can add some entities
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	95	self.execute("INSERT Affaire X: X sujet 'cool'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	96	self.execute("INSERT Societe X: X nom 'logilab'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	97	self.execute("INSERT Personne X: X nom 'bidule'")
1398 5fe84a5f7035 rename internal entity types to have CW prefix instead of E sylvain.thenault@logilab.fr parents: 389 diff changeset	98	self.execute('INSERT CWGroup X: X name "staff"')
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	99	self.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	100
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	101	def test_insert_security(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	102	cnx = self.login('anon')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	103	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	104	cu.execute("INSERT Personne X: X nom 'bidule'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	105	self.assertRaises(Unauthorized, cnx.commit)
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	106	self.assertEqual(cu.execute('Personne X').rowcount, 1)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	107
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	108	def test_insert_rql_permission(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	109	# test user can only add une affaire related to a societe he owns
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	110	cnx = self.login('iaminusersgrouponly')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	111	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	112	cu.execute("INSERT Affaire X: X sujet 'cool'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	113	self.assertRaises(Unauthorized, cnx.commit)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	114	# test nothing has actually been inserted
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	115	self.restore_connection()
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	116	self.assertEqual(self.execute('Affaire X').rowcount, 1)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	117	cnx = self.login('iaminusersgrouponly')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	118	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	119	cu.execute("INSERT Affaire X: X sujet 'cool'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	120	cu.execute("INSERT Societe X: X nom 'chouette'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	121	cu.execute("SET A concerne S WHERE A sujet 'cool', S nom 'chouette'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	122	cnx.commit()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	123
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	124	def test_update_security_1(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	125	cnx = self.login('anon')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	126	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	127	# local security check
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	128	cu.execute( "SET X nom 'bidulechouette' WHERE X is Personne")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	129	self.assertRaises(Unauthorized, cnx.commit)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	130	self.restore_connection()
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	131	self.assertEqual(self.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	132
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	133	def test_update_security_2(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	134	cnx = self.login('anon')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	135	cu = cnx.cursor()
3877 7ca53fc72a0a reldefsecurity branch : Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3252 diff changeset	136	self.repo.schema['Personne'].set_action_permissions('read', ('users', 'managers'))
7ca53fc72a0a reldefsecurity branch : Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3252 diff changeset	137	self.repo.schema['Personne'].set_action_permissions('add', ('guests', 'users', 'managers'))
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	138	self.assertRaises(Unauthorized, cu.execute, "SET X nom 'bidulechouette' WHERE X is Personne")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	139	#self.assertRaises(Unauthorized, cnx.commit)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	140	# test nothing has actually been inserted
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	141	self.restore_connection()
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	142	self.assertEqual(self.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	143
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	144	def test_update_security_3(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	145	cnx = self.login('iaminusersgrouponly')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	146	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	147	cu.execute("INSERT Personne X: X nom 'biduuule'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	148	cu.execute("INSERT Societe X: X nom 'looogilab'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	149	cu.execute("SET X travaille S WHERE X nom 'biduuule', S nom 'looogilab'")
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	150
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	151	def test_update_rql_permission(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	152	self.execute("SET A concerne S WHERE A is Affaire, S is Societe")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	153	self.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	154	# test user can only update une affaire related to a societe he owns
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	155	cnx = self.login('iaminusersgrouponly')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	156	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	157	cu.execute("SET X sujet 'pascool' WHERE X is Affaire")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	158	# this won't actually do anything since the selection query won't return anything
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	159	cnx.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	160	# to actually get Unauthorized exception, try to update an entity we can read
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	161	cu.execute("SET X nom 'toto' WHERE X is Societe")
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	162	self.assertRaises(Unauthorized, cnx.commit)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	163	cu.execute("INSERT Affaire X: X sujet 'pascool'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	164	cu.execute("INSERT Societe X: X nom 'chouette'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	165	cu.execute("SET A concerne S WHERE A sujet 'pascool', S nom 'chouette'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	166	cu.execute("SET X sujet 'habahsicestcool' WHERE X sujet 'pascool'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	167	cnx.commit()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	168
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	169	def test_delete_security(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	170	# FIXME: sample below fails because we don't detect "owner" can't delete
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	171	# user anyway, and since no user with login == 'bidule' exists, no
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	172	# exception is raised
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	173	#user._groups = {'guests':1}
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	174	#self.assertRaises(Unauthorized,
1398 5fe84a5f7035 rename internal entity types to have CW prefix instead of E sylvain.thenault@logilab.fr parents: 389 diff changeset	175	# self.o.execute, user, "DELETE CWUser X WHERE X login 'bidule'")
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	176	# check local security
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	177	cnx = self.login('iaminusersgrouponly')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	178	cu = cnx.cursor()
1398 5fe84a5f7035 rename internal entity types to have CW prefix instead of E sylvain.thenault@logilab.fr parents: 389 diff changeset	179	self.assertRaises(Unauthorized, cu.execute, "DELETE CWGroup Y WHERE Y name 'staff'")
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	180
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	181	def test_delete_rql_permission(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	182	self.execute("SET A concerne S WHERE A is Affaire, S is Societe")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	183	self.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	184	# test user can only dele une affaire related to a societe he owns
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	185	cnx = self.login('iaminusersgrouponly')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	186	cu = cnx.cursor()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	187	# this won't actually do anything since the selection query won't return anything
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	188	cu.execute("DELETE Affaire X")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	189	cnx.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	190	# to actually get Unauthorized exception, try to delete an entity we can read
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	191	self.assertRaises(Unauthorized, cu.execute, "DELETE Societe S")
6410 2e7a7b0829ed [test] fix tests broken by transaction behaviour on Unauthorized/ValidationError (no rollback but connection marked as non-commitable) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6340 diff changeset	192	self.assertRaises(QueryError, cnx.commit) # can't commit anymore
2e7a7b0829ed [test] fix tests broken by transaction behaviour on Unauthorized/ValidationError (no rollback but connection marked as non-commitable) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6340 diff changeset	193	cnx.rollback() # required after Unauthorized
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	194	cu.execute("INSERT Affaire X: X sujet 'pascool'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	195	cu.execute("INSERT Societe X: X nom 'chouette'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	196	cu.execute("SET A concerne S WHERE A sujet 'pascool', S nom 'chouette'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	197	cnx.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	198	## # this one should fail since it will try to delete two affaires, one authorized
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	199	## # and the other not
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	200	## self.assertRaises(Unauthorized, cu.execute, "DELETE Affaire X")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	201	cu.execute("DELETE Affaire X WHERE X sujet 'pascool'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	202	cnx.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	203
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	204
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	205	def test_insert_relation_rql_permission(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	206	cnx = self.login('iaminusersgrouponly')
2773 b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	207	session = self.session
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	208	cu = cnx.cursor(session)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	209	cu.execute("SET A concerne S WHERE A is Affaire, S is Societe")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	210	# should raise Unauthorized since user don't own S
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	211	# though this won't actually do anything since the selection query won't return anything
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	212	cnx.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	213	# to actually get Unauthorized exception, try to insert a relation were we can read both entities
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	214	rset = cu.execute('Personne P')
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	215	self.assertEqual(len(rset), 1)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	216	ent = rset.get_entity(0, 0)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	217	session.set_pool() # necessary
5557 1a534c596bff [entity] continue cleanup of Entity/AnyEntity namespace Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5556 diff changeset	218	self.assertRaises(Unauthorized, ent.cw_check_perm, 'update')
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	219	self.assertRaises(Unauthorized,
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	220	cu.execute, "SET P travaille S WHERE P is Personne, S is Societe")
6410 2e7a7b0829ed [test] fix tests broken by transaction behaviour on Unauthorized/ValidationError (no rollback but connection marked as non-commitable) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6340 diff changeset	221	self.assertRaises(QueryError, cnx.commit) # can't commit anymore
2e7a7b0829ed [test] fix tests broken by transaction behaviour on Unauthorized/ValidationError (no rollback but connection marked as non-commitable) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6340 diff changeset	222	cnx.rollback()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	223	# test nothing has actually been inserted:
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	224	self.assertEqual(cu.execute('Any P,S WHERE P travaille S,P is Personne, S is Societe').rowcount, 0)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	225	cu.execute("INSERT Societe X: X nom 'chouette'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	226	cu.execute("SET A concerne S WHERE A is Affaire, S nom 'chouette'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	227	cnx.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	228
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	229	def test_delete_relation_rql_permission(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	230	self.execute("SET A concerne S WHERE A is Affaire, S is Societe")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	231	self.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	232	cnx = self.login('iaminusersgrouponly')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	233	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	234	# this won't actually do anything since the selection query won't return anything
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	235	cu.execute("DELETE A concerne S")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	236	cnx.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	237	# to actually get Unauthorized exception, try to delete a relation we can read
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	238	self.restore_connection()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	239	eid = self.execute("INSERT Affaire X: X sujet 'pascool'")[0][0]
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	240	self.execute('SET X owned_by U WHERE X eid %(x)s, U login "iaminusersgrouponly"', {'x': eid})
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	241	self.execute("SET A concerne S WHERE A sujet 'pascool', S is Societe")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	242	self.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	243	cnx = self.login('iaminusersgrouponly')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	244	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	245	self.assertRaises(Unauthorized, cu.execute, "DELETE A concerne S")
6410 2e7a7b0829ed [test] fix tests broken by transaction behaviour on Unauthorized/ValidationError (no rollback but connection marked as non-commitable) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6340 diff changeset	246	self.assertRaises(QueryError, cnx.commit) # can't commit anymore
2e7a7b0829ed [test] fix tests broken by transaction behaviour on Unauthorized/ValidationError (no rollback but connection marked as non-commitable) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6340 diff changeset	247	cnx.rollback() # required after Unauthorized
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	248	cu.execute("INSERT Societe X: X nom 'chouette'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	249	cu.execute("SET A concerne S WHERE A is Affaire, S nom 'chouette'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	250	cnx.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	251	cu.execute("DELETE A concerne S WHERE S nom 'chouette'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	252
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	253
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	254	def test_user_can_change_its_upassword(self):
2773 b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	255	ueid = self.create_user('user').eid
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	256	cnx = self.login('user')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	257	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	258	cu.execute('SET X upassword %(passwd)s WHERE X eid %(x)s',
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	259	{'x': ueid, 'passwd': 'newpwd'})
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	260	cnx.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	261	cnx.close()
4191 01638461d4b0 test update. All cw tests OK Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3890 diff changeset	262	cnx = self.login('user', password='newpwd')
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	263
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	264	def test_user_cant_change_other_upassword(self):
2773 b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	265	ueid = self.create_user('otheruser').eid
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	266	cnx = self.login('iaminusersgrouponly')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	267	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	268	cu.execute('SET X upassword %(passwd)s WHERE X eid %(x)s',
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	269	{'x': ueid, 'passwd': 'newpwd'})
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	270	self.assertRaises(Unauthorized, cnx.commit)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	271
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	272	# read security test
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	273
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	274	def test_read_base(self):
3877 7ca53fc72a0a reldefsecurity branch : Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3252 diff changeset	275	self.schema['Personne'].set_action_permissions('read', ('users', 'managers'))
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	276	cnx = self.login('anon')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	277	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	278	self.assertRaises(Unauthorized,
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	279	cu.execute, 'Personne U where U nom "managers"')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	280
321 247947250382 fix security bug w/ query using 'NOT X eid 123' Sylvain Thenault <sylvain.thenault@logilab.fr> parents: 0 diff changeset	281	def test_read_erqlexpr_base(self):
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	282	eid = self.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	283	self.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	284	cnx = self.login('iaminusersgrouponly')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	285	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	286	rset = cu.execute('Affaire X')
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	287	self.assertEqual(rset.rows, [])
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	288	self.assertRaises(Unauthorized, cu.execute, 'Any X WHERE X eid %(x)s', {'x': eid})
321 247947250382 fix security bug w/ query using 'NOT X eid 123' Sylvain Thenault <sylvain.thenault@logilab.fr> parents: 0 diff changeset	289	# cache test
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	290	self.assertRaises(Unauthorized, cu.execute, 'Any X WHERE X eid %(x)s', {'x': eid})
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	291	aff2 = cu.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	292	soc1 = cu.execute("INSERT Societe X: X nom 'chouette'")[0][0]
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	293	cu.execute("SET A concerne S WHERE A is Affaire, S is Societe")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	294	cnx.commit()
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	295	rset = cu.execute('Any X WHERE X eid %(x)s', {'x': aff2})
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	296	self.assertEqual(rset.rows, [[aff2]])
321 247947250382 fix security bug w/ query using 'NOT X eid 123' Sylvain Thenault <sylvain.thenault@logilab.fr> parents: 0 diff changeset	297	# more cache test w/ NOT eid
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	298	rset = cu.execute('Affaire X WHERE NOT X eid %(x)s', {'x': eid})
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	299	self.assertEqual(rset.rows, [[aff2]])
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	300	rset = cu.execute('Affaire X WHERE NOT X eid %(x)s', {'x': aff2})
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	301	self.assertEqual(rset.rows, [])
4765 c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	302	# test can't update an attribute of an entity that can't be readen
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	303	self.assertRaises(Unauthorized, cu.execute, 'SET X sujet "hacked" WHERE X eid %(x)s', {'x': eid})
4765 c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	304
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	305
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	306	def test_entity_created_in_transaction(self):
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	307	affschema = self.schema['Affaire']
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	308	origperms = affschema.permissions['read']
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	309	affschema.set_action_permissions('read', affschema.permissions['add'])
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	310	try:
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	311	cnx = self.login('iaminusersgrouponly')
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	312	cu = cnx.cursor()
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	313	aff2 = cu.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	314	# entity created in transaction are readable by eid
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	315	self.failUnless(cu.execute('Any X WHERE X eid %(x)s', {'x':aff2}))
4765 c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	316	# XXX would be nice if it worked
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	317	rset = cu.execute("Affaire X WHERE X sujet 'cool'")
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	318	self.assertEqual(len(rset), 0)
4765 c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	319	finally:
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	320	affschema.set_action_permissions('read', origperms)
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	321	cnx.close()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	322
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	323	def test_read_erqlexpr_has_text1(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	324	aff1 = self.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	325	card1 = self.execute("INSERT Card X: X title 'cool'")[0][0]
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	326	self.execute('SET X owned_by U WHERE X eid %(x)s, U login "iaminusersgrouponly"', {'x': card1})
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	327	self.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	328	cnx = self.login('iaminusersgrouponly')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	329	cu = cnx.cursor()
2920 64322aa83a1d start a new workflow engine Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	330	aff2 = cu.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	331	soc1 = cu.execute("INSERT Societe X: X nom 'chouette'")[0][0]
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	332	cu.execute("SET A concerne S WHERE A eid %(a)s, S eid %(s)s", {'a': aff2, 's': soc1})
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	333	cnx.commit()
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	334	self.assertRaises(Unauthorized, cu.execute, 'Any X WHERE X eid %(x)s', {'x':aff1})
78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	335	self.failUnless(cu.execute('Any X WHERE X eid %(x)s', {'x':aff2}))
78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	336	self.failUnless(cu.execute('Any X WHERE X eid %(x)s', {'x':card1}))
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	337	rset = cu.execute("Any X WHERE X has_text 'cool'")
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	338	self.assertEqual(sorted(eid for eid, in rset.rows),
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	339	[card1, aff2])
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	340
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	341	def test_read_erqlexpr_has_text2(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	342	self.execute("INSERT Personne X: X nom 'bidule'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	343	self.execute("INSERT Societe X: X nom 'bidule'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	344	self.commit()
3877 7ca53fc72a0a reldefsecurity branch : Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3252 diff changeset	345	self.schema['Personne'].set_action_permissions('read', ('managers',))
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	346	cnx = self.login('iaminusersgrouponly')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	347	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	348	rset = cu.execute('Any N WHERE N has_text "bidule"')
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	349	self.assertEqual(len(rset.rows), 1, rset.rows)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	350	rset = cu.execute('Any N WITH N BEING (Any N WHERE N has_text "bidule")')
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	351	self.assertEqual(len(rset.rows), 1, rset.rows)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	352
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	353	def test_read_erqlexpr_optional_rel(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	354	self.execute("INSERT Personne X: X nom 'bidule'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	355	self.execute("INSERT Societe X: X nom 'bidule'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	356	self.commit()
3877 7ca53fc72a0a reldefsecurity branch : Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3252 diff changeset	357	self.schema['Personne'].set_action_permissions('read', ('managers',))
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	358	cnx = self.login('anon')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	359	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	360	rset = cu.execute('Any N,U WHERE N has_text "bidule", N owned_by U?')
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	361	self.assertEqual(len(rset.rows), 1, rset.rows)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	362
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	363	def test_read_erqlexpr_aggregat(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	364	self.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	365	self.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	366	cnx = self.login('iaminusersgrouponly')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	367	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	368	rset = cu.execute('Any COUNT(X) WHERE X is Affaire')
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	369	self.assertEqual(rset.rows, [[0]])
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	370	aff2 = cu.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	371	soc1 = cu.execute("INSERT Societe X: X nom 'chouette'")[0][0]
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	372	cu.execute("SET A concerne S WHERE A is Affaire, S is Societe")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	373	cnx.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	374	rset = cu.execute('Any COUNT(X) WHERE X is Affaire')
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	375	self.assertEqual(rset.rows, [[1]])
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	376	rset = cu.execute('Any ETN, COUNT(X) GROUPBY ETN WHERE X is ET, ET name ETN')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	377	values = dict(rset)
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	378	self.assertEqual(values['Affaire'], 1)
470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	379	self.assertEqual(values['Societe'], 2)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	380	rset = cu.execute('Any ETN, COUNT(X) GROUPBY ETN WHERE X is ET, ET name ETN WITH X BEING ((Affaire X) UNION (Societe X))')
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	381	self.assertEqual(len(rset), 2)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	382	values = dict(rset)
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	383	self.assertEqual(values['Affaire'], 1)
470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	384	self.assertEqual(values['Societe'], 2)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	385
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	386
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	387	def test_attribute_security(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	388	# only managers should be able to edit the 'test' attribute of Personne entities
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	389	eid = self.execute("INSERT Personne X: X nom 'bidule', X web 'http://www.debian.org', X test TRUE")[0][0]
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	390	self.commit()
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	391	self.execute('SET X test FALSE WHERE X eid %(x)s', {'x': eid})
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	392	self.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	393	cnx = self.login('iaminusersgrouponly')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	394	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	395	cu.execute("INSERT Personne X: X nom 'bidule', X web 'http://www.debian.org', X test TRUE")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	396	self.assertRaises(Unauthorized, cnx.commit)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	397	cu.execute("INSERT Personne X: X nom 'bidule', X web 'http://www.debian.org', X test FALSE")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	398	self.assertRaises(Unauthorized, cnx.commit)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	399	eid = cu.execute("INSERT Personne X: X nom 'bidule', X web 'http://www.debian.org'")[0][0]
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	400	cnx.commit()
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	401	cu.execute('SET X test FALSE WHERE X eid %(x)s', {'x': eid})
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	402	self.assertRaises(Unauthorized, cnx.commit)
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	403	cu.execute('SET X test TRUE WHERE X eid %(x)s', {'x': eid})
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	404	self.assertRaises(Unauthorized, cnx.commit)
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	405	cu.execute('SET X web "http://www.logilab.org" WHERE X eid %(x)s', {'x': eid})
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	406	cnx.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	407	cnx.close()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	408
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	409	def test_attribute_security_rqlexpr(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	410	# Note.para attribute editable by managers or if the note is in "todo" state
2920 64322aa83a1d start a new workflow engine Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	411	note = self.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	412	self.commit()
5556 9ab2b4c74baf [entity] introduce a new 'adapters' registry Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5426 diff changeset	413	note.cw_adapt_to('IWorkflowable').fire_transition('markasdone')
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	414	self.execute('SET X para "truc" WHERE X eid %(x)s', {'x': note.eid})
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	415	self.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	416	cnx = self.login('iaminusersgrouponly')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	417	cu = cnx.cursor()
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	418	cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note.eid})
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	419	self.assertRaises(Unauthorized, cnx.commit)
2920 64322aa83a1d start a new workflow engine Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	420	note2 = cu.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	421	cnx.commit()
5556 9ab2b4c74baf [entity] introduce a new 'adapters' registry Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5426 diff changeset	422	note2.cw_adapt_to('IWorkflowable').fire_transition('markasdone')
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	423	cnx.commit()
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	424	self.assertEqual(len(cu.execute('Any X WHERE X in_state S, S name "todo", X eid %(x)s', {'x': note2.eid})),
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	425	0)
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	426	cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid})
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	427	self.assertRaises(Unauthorized, cnx.commit)
5556 9ab2b4c74baf [entity] introduce a new 'adapters' registry Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5426 diff changeset	428	note2.cw_adapt_to('IWorkflowable').fire_transition('redoit')
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	429	cnx.commit()
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	430	cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid})
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	431	cnx.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	432
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	433	def test_attribute_read_security(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	434	# anon not allowed to see users'login, but they can see users
3877 7ca53fc72a0a reldefsecurity branch : Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3252 diff changeset	435	self.repo.schema['CWUser'].set_action_permissions('read', ('guests', 'users', 'managers'))
7ca53fc72a0a reldefsecurity branch : Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3252 diff changeset	436	self.repo.schema['CWUser'].rdef('login').set_action_permissions('read', ('users', 'managers'))
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	437	cnx = self.login('anon')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	438	cu = cnx.cursor()
1398 5fe84a5f7035 rename internal entity types to have CW prefix instead of E sylvain.thenault@logilab.fr parents: 389 diff changeset	439	rset = cu.execute('CWUser X')
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	440	self.failUnless(rset)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	441	x = rset.get_entity(0, 0)
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	442	self.assertEqual(x.login, None)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	443	self.failUnless(x.creation_date)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	444	x = rset.get_entity(1, 0)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	445	x.complete()
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	446	self.assertEqual(x.login, None)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	447	self.failUnless(x.creation_date)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	448	cnx.rollback()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	449
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	450	class BaseSchemaSecurityTC(BaseSecurityTC):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	451	"""tests related to the base schema permission configuration"""
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	452
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	453	def test_user_can_delete_object_he_created(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	454	# even if some other user have changed object'state
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	455	cnx = self.login('iaminusersgrouponly')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	456	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	457	# due to security test, affaire has to concerne a societe the user owns
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	458	cu.execute('INSERT Societe X: X nom "ARCTIA"')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	459	cu.execute('INSERT Affaire X: X ref "ARCT01", X concerne S WHERE S nom "ARCTIA"')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	460	cnx.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	461	self.restore_connection()
2920 64322aa83a1d start a new workflow engine Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	462	affaire = self.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0)
5556 9ab2b4c74baf [entity] introduce a new 'adapters' registry Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5426 diff changeset	463	affaire.cw_adapt_to('IWorkflowable').fire_transition('abort')
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	464	self.commit()
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	465	self.assertEqual(len(self.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01"')),
2920 64322aa83a1d start a new workflow engine Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	466	1)
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	467	self.assertEqual(len(self.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01",'
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	468	'X owned_by U, U login "admin"')),
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	469	1) # TrInfo at the above state change
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	470	cnx = self.login('iaminusersgrouponly')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	471	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	472	cu.execute('DELETE Affaire X WHERE X ref "ARCT01"')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	473	cnx.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	474	self.failIf(cu.execute('Affaire X'))
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	475
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	476	def test_users_and_groups_non_readable_by_guests(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	477	cnx = self.login('anon')
2773 b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	478	anon = cnx.user(self.session)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	479	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	480	# anonymous user can only read itself
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	481	rset = cu.execute('Any L WHERE X owned_by U, U login L')
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	482	self.assertEqual(rset.rows, [['anon']])
1398 5fe84a5f7035 rename internal entity types to have CW prefix instead of E sylvain.thenault@logilab.fr parents: 389 diff changeset	483	rset = cu.execute('CWUser X')
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	484	self.assertEqual(rset.rows, [[anon.eid]])
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	485	# anonymous user can read groups (necessary to check allowed transitions for instance)
1398 5fe84a5f7035 rename internal entity types to have CW prefix instead of E sylvain.thenault@logilab.fr parents: 389 diff changeset	486	self.assert_(cu.execute('CWGroup X'))
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	487	# should only be able to read the anonymous user, not another one
2773 b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	488	origuser = self.adminsession.user
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	489	self.assertRaises(Unauthorized,
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	490	cu.execute, 'CWUser X WHERE X eid %(x)s', {'x': origuser.eid})
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	491	# nothing selected, nothing updated, no exception raised
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	492	#self.assertRaises(Unauthorized,
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	493	# cu.execute, 'SET X login "toto" WHERE X eid %(x)s',
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	494	# {'x': self.user.eid})
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	495
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	496	rset = cu.execute('CWUser X WHERE X eid %(x)s', {'x': anon.eid})
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	497	self.assertEqual(rset.rows, [[anon.eid]])
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	498	# but can't modify it
4915 d657b89df9f4 fix test broken by recent rql rewrite / querier changes Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4787 diff changeset	499	cu.execute('SET X login "toto" WHERE X eid %(x)s', {'x': anon.eid})
d657b89df9f4 fix test broken by recent rql rewrite / querier changes Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4787 diff changeset	500	self.assertRaises(Unauthorized, cnx.commit)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	501
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	502	def test_in_group_relation(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	503	cnx = self.login('iaminusersgrouponly')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	504	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	505	rql = u"DELETE U in_group G WHERE U login 'admin'"
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	506	self.assertRaises(Unauthorized, cu.execute, rql)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	507	rql = u"SET U in_group G WHERE U login 'admin', G name 'users'"
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	508	self.assertRaises(Unauthorized, cu.execute, rql)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	509
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	510	def test_owned_by(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	511	self.execute("INSERT Personne X: X nom 'bidule'")
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	512	self.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	513	cnx = self.login('iaminusersgrouponly')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	514	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	515	rql = u"SET X owned_by U WHERE U login 'iaminusersgrouponly', X is Personne"
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	516	self.assertRaises(Unauthorized, cu.execute, rql)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	517
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	518	def test_bookmarked_by_guests_security(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	519	beid1 = self.execute('INSERT Bookmark B: B path "?vid=manage", B title "manage"')[0][0]
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	520	beid2 = self.execute('INSERT Bookmark B: B path "?vid=index", B title "index", B bookmarked_by U WHERE U login "anon"')[0][0]
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	521	self.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	522	cnx = self.login('anon')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	523	cu = cnx.cursor()
2773 b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	524	anoneid = self.session.user.eid
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	525	self.assertEqual(cu.execute('Any T,P ORDERBY lower(T) WHERE B is Bookmark,B title T,B path P,'
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	526	'B bookmarked_by U, U eid %s' % anoneid).rows,
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	527	[['index', '?vid=index']])
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	528	self.assertEqual(cu.execute('Any T,P ORDERBY lower(T) WHERE B is Bookmark,B title T,B path P,'
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	529	'B bookmarked_by U, U eid %(x)s', {'x': anoneid}).rows,
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	530	[['index', '?vid=index']])
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	531	# can read others bookmarks as well
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	532	self.assertEqual(cu.execute('Any B where B is Bookmark, NOT B bookmarked_by U').rows,
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	533	[[beid1]])
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	534	self.assertRaises(Unauthorized, cu.execute,'DELETE B bookmarked_by U')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	535	self.assertRaises(Unauthorized,
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	536	cu.execute, 'SET B bookmarked_by U WHERE U eid %(x)s, B eid %(b)s',
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	537	{'x': anoneid, 'b': beid1})
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	538
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	539
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	540	def test_ambigous_ordered(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	541	cnx = self.login('anon')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	542	cu = cnx.cursor()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	543	names = [t for t, in cu.execute('Any N ORDERBY lower(N) WHERE X name N')]
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	544	self.assertEqual(names, sorted(names, key=lambda x: x.lower()))
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	545
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	546	def test_in_state_without_update_perm(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	547	"""check a user change in_state without having update permission on the
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	548	subject
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	549	"""
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	550	eid = self.execute('INSERT Affaire X: X ref "ARCT01"')[0][0]
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	551	self.commit()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	552	cnx = self.login('iaminusersgrouponly')
2773 b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	553	session = self.session
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	554	# needed to avoid check_perm error
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	555	session.set_pool()
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	556	# needed to remove rql expr granting update perm to the user
4691 ae468fae9965 [test] fix test inter-dependancies pb. Pytest ok in each individual test dir, though not yet for whole cubicweb, but for different reasons Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4191 diff changeset	557	affaire_perms = self.schema['Affaire'].permissions.copy()
3877 7ca53fc72a0a reldefsecurity branch : Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3252 diff changeset	558	self.schema['Affaire'].set_action_permissions('update', self.schema['Affaire'].get_groups('update'))
2920 64322aa83a1d start a new workflow engine Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	559	try:
4691 ae468fae9965 [test] fix test inter-dependancies pb. Pytest ok in each individual test dir, though not yet for whole cubicweb, but for different reasons Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4191 diff changeset	560	self.assertRaises(Unauthorized,
ae468fae9965 [test] fix test inter-dependancies pb. Pytest ok in each individual test dir, though not yet for whole cubicweb, but for different reasons Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4191 diff changeset	561	self.schema['Affaire'].check_perm, session, 'update', eid=eid)
ae468fae9965 [test] fix test inter-dependancies pb. Pytest ok in each individual test dir, though not yet for whole cubicweb, but for different reasons Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4191 diff changeset	562	cu = cnx.cursor()
ae468fae9965 [test] fix test inter-dependancies pb. Pytest ok in each individual test dir, though not yet for whole cubicweb, but for different reasons Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4191 diff changeset	563	self.schema['Affaire'].set_action_permissions('read', ('users',))
2920 64322aa83a1d start a new workflow engine Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	564	aff = cu.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0)
5556 9ab2b4c74baf [entity] introduce a new 'adapters' registry Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5426 diff changeset	565	aff.cw_adapt_to('IWorkflowable').fire_transition('abort')
2920 64322aa83a1d start a new workflow engine Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	566	cnx.commit()
64322aa83a1d start a new workflow engine Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	567	# though changing a user state (even logged user) is reserved to managers
3447 0a0f8df4a2f7 test fixes Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3293 diff changeset	568	user = cnx.user(self.session)
2920 64322aa83a1d start a new workflow engine Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	569	# XXX wether it should raise Unauthorized or ValidationError is not clear
64322aa83a1d start a new workflow engine Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	570	# the best would probably ValidationError if the transition doesn't exist
64322aa83a1d start a new workflow engine Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	571	# from the current state but Unauthorized if it exists but user can't pass it
5556 9ab2b4c74baf [entity] introduce a new 'adapters' registry Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5426 diff changeset	572	self.assertRaises(ValidationError,
9ab2b4c74baf [entity] introduce a new 'adapters' registry Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5426 diff changeset	573	user.cw_adapt_to('IWorkflowable').fire_transition, 'deactivate')
2920 64322aa83a1d start a new workflow engine Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	574	finally:
4691 ae468fae9965 [test] fix test inter-dependancies pb. Pytest ok in each individual test dir, though not yet for whole cubicweb, but for different reasons Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4191 diff changeset	575	# restore orig perms
ae468fae9965 [test] fix test inter-dependancies pb. Pytest ok in each individual test dir, though not yet for whole cubicweb, but for different reasons Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4191 diff changeset	576	for action, perms in affaire_perms.iteritems():
ae468fae9965 [test] fix test inter-dependancies pb. Pytest ok in each individual test dir, though not yet for whole cubicweb, but for different reasons Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4191 diff changeset	577	self.schema['Affaire'].set_action_permissions(action, perms)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	578
2501 fa86d99c2c3a test and fix wf history security Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2500 diff changeset	579	def test_trinfo_security(self):
fa86d99c2c3a test and fix wf history security Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2500 diff changeset	580	aff = self.execute('INSERT Affaire X: X ref "ARCT01"').get_entity(0, 0)
5556 9ab2b4c74baf [entity] introduce a new 'adapters' registry Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5426 diff changeset	581	iworkflowable = aff.cw_adapt_to('IWorkflowable')
2501 fa86d99c2c3a test and fix wf history security Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2500 diff changeset	582	self.commit()
5556 9ab2b4c74baf [entity] introduce a new 'adapters' registry Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5426 diff changeset	583	iworkflowable.fire_transition('abort')
2920 64322aa83a1d start a new workflow engine Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	584	self.commit()
2501 fa86d99c2c3a test and fix wf history security Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2500 diff changeset	585	# can change tr info comment
fa86d99c2c3a test and fix wf history security Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2500 diff changeset	586	self.execute('SET TI comment %(c)s WHERE TI wf_info_for X, X ref "ARCT01"',
2920 64322aa83a1d start a new workflow engine Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	587	{'c': u'bouh!'})
2501 fa86d99c2c3a test and fix wf history security Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2500 diff changeset	588	self.commit()
5557 1a534c596bff [entity] continue cleanup of Entity/AnyEntity namespace Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5556 diff changeset	589	aff.cw_clear_relation_cache('wf_info_for', 'object')
5556 9ab2b4c74baf [entity] introduce a new 'adapters' registry Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5426 diff changeset	590	trinfo = iworkflowable.latest_trinfo()
6340 470d8e828fda [test] update test to unittest2 api (still using lgc.testlib though) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5890 diff changeset	591	self.assertEqual(trinfo.comment, 'bouh!')
2501 fa86d99c2c3a test and fix wf history security Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2500 diff changeset	592	# but not from_state/to_state
5557 1a534c596bff [entity] continue cleanup of Entity/AnyEntity namespace Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5556 diff changeset	593	aff.cw_clear_relation_cache('wf_info_for', role='object')
2501 fa86d99c2c3a test and fix wf history security Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2500 diff changeset	594	self.assertRaises(Unauthorized,
fa86d99c2c3a test and fix wf history security Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2500 diff changeset	595	self.execute, 'SET TI from_state S WHERE TI eid %(ti)s, S name "ben non"',
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	596	{'ti': trinfo.eid})
2501 fa86d99c2c3a test and fix wf history security Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2500 diff changeset	597	self.assertRaises(Unauthorized,
fa86d99c2c3a test and fix wf history security Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2500 diff changeset	598	self.execute, 'SET TI to_state S WHERE TI eid %(ti)s, S name "pitetre"',
5174 78438ad513ca #759035: Automate addition of eid cachekey in RQL analysis Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4915 diff changeset	599	{'ti': trinfo.eid})
2501 fa86d99c2c3a test and fix wf history security Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2500 diff changeset	600
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	601	if __name__ == '__main__':
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	602	unittest_main()

author	Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
	Thu, 03 Mar 2011 12:55:29 +0100
branch	stable
changeset 7033	ddc1b4d80dbd
parent 6410	2e7a7b0829ed
child 7072	bcf96f2a4c5d
permissions	-rw-r--r--