113 def test_insert_security(self): |
113 def test_insert_security(self): |
114 with self.new_access('anon').repo_cnx() as cnx: |
114 with self.new_access('anon').repo_cnx() as cnx: |
115 cnx.execute("INSERT Personne X: X nom 'bidule'") |
115 cnx.execute("INSERT Personne X: X nom 'bidule'") |
116 self.assertRaises(Unauthorized, cnx.commit) |
116 self.assertRaises(Unauthorized, cnx.commit) |
117 self.assertEqual(cnx.execute('Personne X').rowcount, 1) |
117 self.assertEqual(cnx.execute('Personne X').rowcount, 1) |
|
118 |
|
119 def test_insert_security_2(self): |
|
120 with self.login('anon') as cu: |
|
121 cu.execute("INSERT Affaire X") |
|
122 self.assertRaises(Unauthorized, self.commit) |
|
123 # anon has no read permission on Affaire entities, so |
|
124 # rowcount == 0 |
|
125 self.assertEqual(cu.execute('Affaire X').rowcount, 0) |
118 |
126 |
119 def test_insert_rql_permission(self): |
127 def test_insert_rql_permission(self): |
120 # test user can only add une affaire related to a societe he owns |
128 # test user can only add une affaire related to a societe he owns |
121 with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: |
129 with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: |
122 cnx.execute("INSERT Affaire X: X sujet 'cool'") |
130 cnx.execute("INSERT Affaire X: X sujet 'cool'") |