20 from logilab.common.testlib import unittest_main |
20 from logilab.common.testlib import unittest_main |
21 |
21 |
22 from cubicweb.devtools.testlib import CubicWebTC |
22 from cubicweb.devtools.testlib import CubicWebTC |
23 from cubicweb import Unauthorized, ValidationError, QueryError, Binary |
23 from cubicweb import Unauthorized, ValidationError, QueryError, Binary |
24 from cubicweb.schema import ERQLExpression |
24 from cubicweb.schema import ERQLExpression |
25 from cubicweb.server.querier import check_read_access |
25 from cubicweb.server.querier import get_local_checks, check_relations_read_access |
26 from cubicweb.server.utils import _CRYPTO_CTX |
26 from cubicweb.server.utils import _CRYPTO_CTX |
27 |
27 |
28 |
28 |
29 class BaseSecurityTC(CubicWebTC): |
29 class BaseSecurityTC(CubicWebTC): |
30 |
30 |
35 hash = _CRYPTO_CTX.encrypt('oldpassword', scheme='des_crypt') |
35 hash = _CRYPTO_CTX.encrypt('oldpassword', scheme='des_crypt') |
36 self.create_user(cnx, 'oldpassword', password=Binary(hash)) |
36 self.create_user(cnx, 'oldpassword', password=Binary(hash)) |
37 |
37 |
38 class LowLevelSecurityFunctionTC(BaseSecurityTC): |
38 class LowLevelSecurityFunctionTC(BaseSecurityTC): |
39 |
39 |
40 def test_check_read_access(self): |
40 def test_check_relation_read_access(self): |
41 rql = u'Personne U where U nom "managers"' |
41 rql = u'Personne U WHERE U nom "managers"' |
|
42 rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0] |
|
43 nom = self.repo.schema['Personne'].rdef('nom') |
|
44 with self.temporary_permissions((nom, {'read': ('users', 'managers')})): |
|
45 with self.admin_access.repo_cnx() as cnx: |
|
46 self.repo.vreg.solutions(cnx, rqlst, None) |
|
47 check_relations_read_access(cnx, rqlst, {}) |
|
48 with self.new_access('anon').repo_cnx() as cnx: |
|
49 self.assertRaises(Unauthorized, |
|
50 check_relations_read_access, |
|
51 cnx, rqlst, {}) |
|
52 self.assertRaises(Unauthorized, cnx.execute, rql) |
|
53 |
|
54 def test_get_local_checks(self): |
|
55 rql = u'Personne U WHERE U nom "managers"' |
42 rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0] |
56 rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0] |
43 with self.temporary_permissions(Personne={'read': ('users', 'managers')}): |
57 with self.temporary_permissions(Personne={'read': ('users', 'managers')}): |
44 with self.admin_access.repo_cnx() as cnx: |
58 with self.admin_access.repo_cnx() as cnx: |
45 self.repo.vreg.solutions(cnx, rqlst, None) |
59 self.repo.vreg.solutions(cnx, rqlst, None) |
46 solution = rqlst.solutions[0] |
60 solution = rqlst.solutions[0] |
47 check_read_access(cnx, rqlst, solution, {}) |
61 localchecks = get_local_checks(cnx, rqlst, solution) |
|
62 self.assertEqual({}, localchecks) |
48 with self.new_access('anon').repo_cnx() as cnx: |
63 with self.new_access('anon').repo_cnx() as cnx: |
49 self.assertRaises(Unauthorized, |
64 self.assertRaises(Unauthorized, |
50 check_read_access, |
65 get_local_checks, |
51 cnx, rqlst, solution, {}) |
66 cnx, rqlst, solution) |
52 self.assertRaises(Unauthorized, cnx.execute, rql) |
67 self.assertRaises(Unauthorized, cnx.execute, rql) |
53 |
68 |
54 def test_upassword_not_selectable(self): |
69 def test_upassword_not_selectable(self): |
55 with self.admin_access.repo_cnx() as cnx: |
70 with self.admin_access.repo_cnx() as cnx: |
56 self.assertRaises(Unauthorized, |
71 self.assertRaises(Unauthorized, |