1 # copyright 2003-2010 LOGILAB S.A. (Paris, FRANCE), all rights reserved. |
1 # copyright 2003-2012 LOGILAB S.A. (Paris, FRANCE), all rights reserved. |
2 # contact http://www.logilab.fr/ -- mailto:contact@logilab.fr |
2 # contact http://www.logilab.fr/ -- mailto:contact@logilab.fr |
3 # |
3 # |
4 # This file is part of CubicWeb. |
4 # This file is part of CubicWeb. |
5 # |
5 # |
6 # CubicWeb is free software: you can redistribute it and/or modify it under the |
6 # CubicWeb is free software: you can redistribute it and/or modify it under the |
21 |
21 |
22 from logilab.common.testlib import unittest_main, TestCase |
22 from logilab.common.testlib import unittest_main, TestCase |
23 from cubicweb.devtools.testlib import CubicWebTC |
23 from cubicweb.devtools.testlib import CubicWebTC |
24 |
24 |
25 from cubicweb import Unauthorized, ValidationError, QueryError |
25 from cubicweb import Unauthorized, ValidationError, QueryError |
|
26 from cubicweb.schema import ERQLExpression |
26 from cubicweb.server.querier import check_read_access |
27 from cubicweb.server.querier import check_read_access |
|
28 |
27 |
29 |
28 class BaseSecurityTC(CubicWebTC): |
30 class BaseSecurityTC(CubicWebTC): |
29 |
31 |
30 def setup_database(self): |
32 def setup_database(self): |
31 super(BaseSecurityTC, self).setup_database() |
33 super(BaseSecurityTC, self).setup_database() |
465 x.complete() |
467 x.complete() |
466 self.assertEqual(x.login, None) |
468 self.assertEqual(x.login, None) |
467 self.assertTrue(x.creation_date) |
469 self.assertTrue(x.creation_date) |
468 cnx.rollback() |
470 cnx.rollback() |
469 cnx.close() |
471 cnx.close() |
|
472 |
|
473 def test_yams_inheritance_and_security_bug(self): |
|
474 oldperms = self.schema['Division'].permissions |
|
475 try: |
|
476 self.schema['Division'].permissions = { |
|
477 'read': ('managers', ERQLExpression('X owned_by U')), |
|
478 'add': ('managers', 'users'), |
|
479 'update': ('managers', 'owners'), |
|
480 'delete': ('managers', 'owners')} |
|
481 self.login('iaminusersgrouponly') |
|
482 querier = self.repo.querier |
|
483 rqlst = querier.parse('Any X WHERE X is_instance_of Societe') |
|
484 querier.solutions(self.session, rqlst, {}) |
|
485 querier._annotate(rqlst) |
|
486 plan = querier.plan_factory(rqlst, {}, self.session) |
|
487 plan.preprocess(rqlst) |
|
488 self.assertEqual( |
|
489 rqlst.as_string(), |
|
490 '(Any X WHERE X is IN(SubDivision, Societe)) UNION (Any X WHERE X is Division, EXISTS(X owned_by %(B)s))') |
|
491 finally: |
|
492 self.schema['Division'].permissions = oldperms |
|
493 |
470 |
494 |
471 class BaseSchemaSecurityTC(BaseSecurityTC): |
495 class BaseSchemaSecurityTC(BaseSecurityTC): |
472 """tests related to the base schema permission configuration""" |
496 """tests related to the base schema permission configuration""" |
473 |
497 |
474 def test_user_can_delete_object_he_created(self): |
498 def test_user_can_delete_object_he_created(self): |