13 # FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more |
13 # FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more |
14 # details. |
14 # details. |
15 # |
15 # |
16 # You should have received a copy of the GNU Lesser General Public License along |
16 # You should have received a copy of the GNU Lesser General Public License along |
17 # with CubicWeb. If not, see <http://www.gnu.org/licenses/>. |
17 # with CubicWeb. If not, see <http://www.gnu.org/licenses/>. |
18 """functional tests for server'security |
18 """functional tests for server'security""" |
19 """ |
19 |
20 import sys |
20 import sys |
21 |
21 |
22 from logilab.common.testlib import unittest_main, TestCase |
22 from logilab.common.testlib import unittest_main, TestCase |
23 from cubicweb.devtools.testlib import CubicWebTC |
23 from cubicweb.devtools.testlib import CubicWebTC |
24 |
24 |
63 cnx = self.login('iaminusersgrouponly') |
63 cnx = self.login('iaminusersgrouponly') |
64 cu = cnx.cursor() |
64 cu = cnx.cursor() |
65 self.assertRaises(Unauthorized, |
65 self.assertRaises(Unauthorized, |
66 cu.execute, 'Any X,P WHERE X is CWUser, X upassword P') |
66 cu.execute, 'Any X,P WHERE X is CWUser, X upassword P') |
67 |
67 |
|
68 |
|
69 class SecurityRewritingTC(BaseSecurityTC): |
|
70 def hijack_source_execute(self): |
|
71 def syntax_tree_search(*args, **kwargs): |
|
72 self.query = (args, kwargs) |
|
73 return [] |
|
74 self.repo.system_source.syntax_tree_search = syntax_tree_search |
|
75 |
|
76 def tearDown(self): |
|
77 self.repo.system_source.__dict__.pop('syntax_tree_search', None) |
|
78 BaseSecurityTC.tearDown(self) |
|
79 |
|
80 def test_not_relation_read_security(self): |
|
81 cnx = self.login('iaminusersgrouponly') |
|
82 self.hijack_source_execute() |
|
83 self.execute('Any U WHERE NOT A todo_by U, A is Affaire') |
|
84 self.assertEquals(self.query[0][1].as_string(), |
|
85 'Any U WHERE NOT EXISTS(A todo_by U), A is Affaire') |
|
86 self.execute('Any U WHERE NOT EXISTS(A todo_by U), A is Affaire') |
|
87 self.assertEquals(self.query[0][1].as_string(), |
|
88 'Any U WHERE NOT EXISTS(A todo_by U), A is Affaire') |
68 |
89 |
69 class SecurityTC(BaseSecurityTC): |
90 class SecurityTC(BaseSecurityTC): |
70 |
91 |
71 def setUp(self): |
92 def setUp(self): |
72 BaseSecurityTC.setUp(self) |
93 BaseSecurityTC.setUp(self) |
417 x = rset.get_entity(1, 0) |
438 x = rset.get_entity(1, 0) |
418 x.complete() |
439 x.complete() |
419 self.assertEquals(x.login, None) |
440 self.assertEquals(x.login, None) |
420 self.failUnless(x.creation_date) |
441 self.failUnless(x.creation_date) |
421 cnx.rollback() |
442 cnx.rollback() |
422 |
|
423 |
443 |
424 class BaseSchemaSecurityTC(BaseSecurityTC): |
444 class BaseSchemaSecurityTC(BaseSecurityTC): |
425 """tests related to the base schema permission configuration""" |
445 """tests related to the base schema permission configuration""" |
426 |
446 |
427 def test_user_can_delete_object_he_created(self): |
447 def test_user_can_delete_object_he_created(self): |