39 self.schema, cnx.user(self.current_session()), rqlst, solution) |
39 self.schema, cnx.user(self.current_session()), rqlst, solution) |
40 self.assertRaises(Unauthorized, cu.execute, rql) |
40 self.assertRaises(Unauthorized, cu.execute, rql) |
41 |
41 |
42 def test_upassword_not_selectable(self): |
42 def test_upassword_not_selectable(self): |
43 self.assertRaises(Unauthorized, |
43 self.assertRaises(Unauthorized, |
44 self.execute, 'Any X,P WHERE X is EUser, X upassword P') |
44 self.execute, 'Any X,P WHERE X is CWUser, X upassword P') |
45 self.rollback() |
45 self.rollback() |
46 cnx = self.login('iaminusersgrouponly') |
46 cnx = self.login('iaminusersgrouponly') |
47 cu = cnx.cursor() |
47 cu = cnx.cursor() |
48 self.assertRaises(Unauthorized, |
48 self.assertRaises(Unauthorized, |
49 cu.execute, 'Any X,P WHERE X is EUser, X upassword P') |
49 cu.execute, 'Any X,P WHERE X is CWUser, X upassword P') |
50 |
50 |
51 |
51 |
52 class SecurityTC(BaseSecurityTC): |
52 class SecurityTC(BaseSecurityTC): |
53 |
53 |
54 def setUp(self): |
54 def setUp(self): |
55 BaseSecurityTC.setUp(self) |
55 BaseSecurityTC.setUp(self) |
56 # implicitly test manager can add some entities |
56 # implicitly test manager can add some entities |
57 self.execute("INSERT Affaire X: X sujet 'cool'") |
57 self.execute("INSERT Affaire X: X sujet 'cool'") |
58 self.execute("INSERT Societe X: X nom 'logilab'") |
58 self.execute("INSERT Societe X: X nom 'logilab'") |
59 self.execute("INSERT Personne X: X nom 'bidule'") |
59 self.execute("INSERT Personne X: X nom 'bidule'") |
60 self.execute('INSERT EGroup X: X name "staff"') |
60 self.execute('INSERT CWGroup X: X name "staff"') |
61 self.commit() |
61 self.commit() |
62 |
62 |
63 def test_insert_security(self): |
63 def test_insert_security(self): |
64 cnx = self.login('anon') |
64 cnx = self.login('anon') |
65 cu = cnx.cursor() |
65 cu = cnx.cursor() |
132 # FIXME: sample below fails because we don't detect "owner" can't delete |
132 # FIXME: sample below fails because we don't detect "owner" can't delete |
133 # user anyway, and since no user with login == 'bidule' exists, no |
133 # user anyway, and since no user with login == 'bidule' exists, no |
134 # exception is raised |
134 # exception is raised |
135 #user._groups = {'guests':1} |
135 #user._groups = {'guests':1} |
136 #self.assertRaises(Unauthorized, |
136 #self.assertRaises(Unauthorized, |
137 # self.o.execute, user, "DELETE EUser X WHERE X login 'bidule'") |
137 # self.o.execute, user, "DELETE CWUser X WHERE X login 'bidule'") |
138 # check local security |
138 # check local security |
139 cnx = self.login('iaminusersgrouponly') |
139 cnx = self.login('iaminusersgrouponly') |
140 cu = cnx.cursor() |
140 cu = cnx.cursor() |
141 self.assertRaises(Unauthorized, cu.execute, "DELETE EGroup Y WHERE Y name 'staff'") |
141 self.assertRaises(Unauthorized, cu.execute, "DELETE CWGroup Y WHERE Y name 'staff'") |
142 |
142 |
143 def test_delete_rql_permission(self): |
143 def test_delete_rql_permission(self): |
144 self.execute("SET A concerne S WHERE A is Affaire, S is Societe") |
144 self.execute("SET A concerne S WHERE A is Affaire, S is Societe") |
145 self.commit() |
145 self.commit() |
146 # test user can only dele une affaire related to a societe he owns |
146 # test user can only dele une affaire related to a societe he owns |
367 cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': eid2}, 'x') |
367 cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': eid2}, 'x') |
368 cnx.commit() |
368 cnx.commit() |
369 |
369 |
370 def test_attribute_read_security(self): |
370 def test_attribute_read_security(self): |
371 # anon not allowed to see users'login, but they can see users |
371 # anon not allowed to see users'login, but they can see users |
372 self.repo.schema['EUser'].set_groups('read', ('guests', 'users', 'managers')) |
372 self.repo.schema['CWUser'].set_groups('read', ('guests', 'users', 'managers')) |
373 self.repo.schema['login'].set_groups('read', ('users', 'managers')) |
373 self.repo.schema['login'].set_groups('read', ('users', 'managers')) |
374 cnx = self.login('anon') |
374 cnx = self.login('anon') |
375 cu = cnx.cursor() |
375 cu = cnx.cursor() |
376 rset = cu.execute('EUser X') |
376 rset = cu.execute('CWUser X') |
377 self.failUnless(rset) |
377 self.failUnless(rset) |
378 x = rset.get_entity(0, 0) |
378 x = rset.get_entity(0, 0) |
379 self.assertEquals(x.login, None) |
379 self.assertEquals(x.login, None) |
380 self.failUnless(x.creation_date) |
380 self.failUnless(x.creation_date) |
381 x = rset.get_entity(1, 0) |
381 x = rset.get_entity(1, 0) |
418 anon = cnx.user(self.current_session()) |
418 anon = cnx.user(self.current_session()) |
419 cu = cnx.cursor() |
419 cu = cnx.cursor() |
420 # anonymous user can only read itself |
420 # anonymous user can only read itself |
421 rset = cu.execute('Any L WHERE X owned_by U, U login L') |
421 rset = cu.execute('Any L WHERE X owned_by U, U login L') |
422 self.assertEquals(rset.rows, [['anon']]) |
422 self.assertEquals(rset.rows, [['anon']]) |
423 rset = cu.execute('EUser X') |
423 rset = cu.execute('CWUser X') |
424 self.assertEquals(rset.rows, [[anon.eid]]) |
424 self.assertEquals(rset.rows, [[anon.eid]]) |
425 # anonymous user can read groups (necessary to check allowed transitions for instance) |
425 # anonymous user can read groups (necessary to check allowed transitions for instance) |
426 self.assert_(cu.execute('EGroup X')) |
426 self.assert_(cu.execute('CWGroup X')) |
427 # should only be able to read the anonymous user, not another one |
427 # should only be able to read the anonymous user, not another one |
428 origuser = self.session.user |
428 origuser = self.session.user |
429 self.assertRaises(Unauthorized, |
429 self.assertRaises(Unauthorized, |
430 cu.execute, 'EUser X WHERE X eid %(x)s', {'x': origuser.eid}, 'x') |
430 cu.execute, 'CWUser X WHERE X eid %(x)s', {'x': origuser.eid}, 'x') |
431 # nothing selected, nothing updated, no exception raised |
431 # nothing selected, nothing updated, no exception raised |
432 #self.assertRaises(Unauthorized, |
432 #self.assertRaises(Unauthorized, |
433 # cu.execute, 'SET X login "toto" WHERE X eid %(x)s', |
433 # cu.execute, 'SET X login "toto" WHERE X eid %(x)s', |
434 # {'x': self.user.eid}) |
434 # {'x': self.user.eid}) |
435 |
435 |
436 rset = cu.execute('EUser X WHERE X eid %(x)s', {'x': anon.eid}, 'x') |
436 rset = cu.execute('CWUser X WHERE X eid %(x)s', {'x': anon.eid}, 'x') |
437 self.assertEquals(rset.rows, [[anon.eid]]) |
437 self.assertEquals(rset.rows, [[anon.eid]]) |
438 # but can't modify it |
438 # but can't modify it |
439 cu.execute('SET X login "toto" WHERE X eid %(x)s', {'x': anon.eid}) |
439 cu.execute('SET X login "toto" WHERE X eid %(x)s', {'x': anon.eid}) |
440 self.assertRaises(Unauthorized, cnx.commit) |
440 self.assertRaises(Unauthorized, cnx.commit) |
441 |
441 |