128 def test_insert_security(self): |
128 def test_insert_security(self): |
129 with self.new_access('anon').repo_cnx() as cnx: |
129 with self.new_access('anon').repo_cnx() as cnx: |
130 cnx.execute("INSERT Personne X: X nom 'bidule'") |
130 cnx.execute("INSERT Personne X: X nom 'bidule'") |
131 self.assertRaises(Unauthorized, cnx.commit) |
131 self.assertRaises(Unauthorized, cnx.commit) |
132 self.assertEqual(cnx.execute('Personne X').rowcount, 1) |
132 self.assertEqual(cnx.execute('Personne X').rowcount, 1) |
|
133 |
|
134 def test_insert_security_2(self): |
|
135 with self.new_access('anon').repo_cnx() as cnx: |
|
136 cnx.execute("INSERT Affaire X") |
|
137 self.assertRaises(Unauthorized, cnx.commit) |
|
138 # anon has no read permission on Affaire entities, so |
|
139 # rowcount == 0 |
|
140 self.assertEqual(cnx.execute('Affaire X').rowcount, 0) |
133 |
141 |
134 def test_insert_rql_permission(self): |
142 def test_insert_rql_permission(self): |
135 # test user can only add une affaire related to a societe he owns |
143 # test user can only add une affaire related to a societe he owns |
136 with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: |
144 with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: |
137 cnx.execute("INSERT Affaire X: X sujet 'cool'") |
145 cnx.execute("INSERT Affaire X: X sujet 'cool'") |