Mercurial Mercurial > pub > hg > cubicweb / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
server/test/unittest_security.py
branchreldefsecurity
changeset 3877 7ca53fc72a0a
parent 3252 c0e10da6f1cf
child 3890 d7a270f50f54
equal deleted inserted replaced
3876:1169d3154be6 3877:7ca53fc72a0a 
    12 class BaseSecurityTC(RepositoryBasedTC):
 
    12 class BaseSecurityTC(RepositoryBasedTC):
 
    13 
    13 
    14     def setUp(self):
 
    14     def setUp(self):
 
    15         RepositoryBasedTC.setUp(self)
 
    15         RepositoryBasedTC.setUp(self)
 
    16         self.create_user('iaminusersgrouponly')
 
    16         self.create_user('iaminusersgrouponly')
 
    17         self.readoriggroups = self.schema['Personne'].get_groups('read')
 
    17         self.readoriggroups = self.schema['Personne'].permissions['read']
 
    18         self.addoriggroups = self.schema['Personne'].get_groups('add')
 
    18         self.addoriggroups = self.schema['Personne'].permissions['add']
 
    19 
    19 
    20     def tearDown(self):
 
    20     def tearDown(self):
 
    21         RepositoryBasedTC.tearDown(self)
 
    21         RepositoryBasedTC.tearDown(self)
 
    22         self.schema['Personne'].set_groups('read', self.readoriggroups)
 
    22         self.schema['Personne'].set_action_permissions('read', self.readoriggroups)
 
    23         self.schema['Personne'].set_groups('add', self.addoriggroups)
 
    23         self.schema['Personne'].set_action_permissions('add', self.addoriggroups)
 
    24 
    24 
    25 
    25 
    26 class LowLevelSecurityFunctionTC(BaseSecurityTC):
 
    26 class LowLevelSecurityFunctionTC(BaseSecurityTC):
 
    27 
    27 
    28     def test_check_read_access(self):
 
    28     def test_check_read_access(self):
 
    29         rql = u'Personne U where U nom "managers"'
 
    29         rql = u'Personne U where U nom "managers"'
 
    30         rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0]
 
    30         rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0]
 
    31         origgroups = self.schema['Personne'].get_groups('read')
 
    31         origgroups = self.schema['Personne'].get_groups('read')
 
    32         self.schema['Personne'].set_groups('read', ('users', 'managers'))
 
    32         self.schema['Personne'].set_action_permissions('read', ('users', 'managers'))
 
    33         self.repo.vreg.rqlhelper.compute_solutions(rqlst)
 
    33         self.repo.vreg.rqlhelper.compute_solutions(rqlst)
 
    34         solution = rqlst.solutions[0]
 
    34         solution = rqlst.solutions[0]
 
    35         check_read_access(self.schema, self.session.user, rqlst, solution)
 
    35         check_read_access(self.schema, self.session.user, rqlst, solution)
 
    36         cnx = self.login('anon')
 
    36         cnx = self.login('anon')
 
    37         cu = cnx.cursor()
 
    37         cu = cnx.cursor()
 
    94         self.assertEquals(self.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0)
 
    94         self.assertEquals(self.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0)
 
    95 
    95 
    96     def test_update_security_2(self):
 
    96     def test_update_security_2(self):
 
    97         cnx = self.login('anon')
 
    97         cnx = self.login('anon')
 
    98         cu = cnx.cursor()
 
    98         cu = cnx.cursor()
 
    99         self.repo.schema['Personne'].set_groups('read', ('users', 'managers'))
 
    99         self.repo.schema['Personne'].set_action_permissions('read', ('users', 'managers'))
 
   100         self.repo.schema['Personne'].set_groups('add', ('guests', 'users', 'managers'))
 
   100         self.repo.schema['Personne'].set_action_permissions('add', ('guests', 'users', 'managers'))
 
   101         self.assertRaises(Unauthorized, cu.execute, "SET X nom 'bidulechouette' WHERE X is Personne")
 
   101         self.assertRaises(Unauthorized, cu.execute, "SET X nom 'bidulechouette' WHERE X is Personne")
 
   102         #self.assertRaises(Unauthorized, cnx.commit)
 
   102         #self.assertRaises(Unauthorized, cnx.commit)
 
   103         # test nothing has actually been inserted
 
   103         # test nothing has actually been inserted
 
   104         self.restore_connection()
 
   104         self.restore_connection()
 
   105         self.assertEquals(self.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0)
 
   105         self.assertEquals(self.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0)
 
   175         rset = cu.execute('Personne P')
 
   175         rset = cu.execute('Personne P')
 
   176         self.assertEquals(len(rset), 1)
 
   176         self.assertEquals(len(rset), 1)
 
   177         ent = rset.get_entity(0, 0)
 
   177         ent = rset.get_entity(0, 0)
 
   178         session.set_pool() # necessary
 
   178         session.set_pool() # necessary
 
   179         self.assertRaises(Unauthorized,
 
   179         self.assertRaises(Unauthorized,
 
   180                           ent.e_schema.check_perm, session, 'update', ent.eid)
 
   180                           ent.e_schema.check_perm, session, 'update', eid=ent.eid)
 
   181         self.assertRaises(Unauthorized,
 
   181         self.assertRaises(Unauthorized,
 
   182                           cu.execute, "SET P travaille S WHERE P is Personne, S is Societe")
 
   182                           cu.execute, "SET P travaille S WHERE P is Personne, S is Societe")
 
   183         # test nothing has actually been inserted:
 
   183         # test nothing has actually been inserted:
 
   184         self.assertEquals(cu.execute('Any P,S WHERE P travaille S,P is Personne, S is Societe').rowcount, 0)
 
   184         self.assertEquals(cu.execute('Any P,S WHERE P travaille S,P is Personne, S is Societe').rowcount, 0)
 
   185         cu.execute("INSERT Societe X: X nom 'chouette'")
 
   185         cu.execute("INSERT Societe X: X nom 'chouette'")
 
   228         self.assertRaises(Unauthorized, cnx.commit)
 
   228         self.assertRaises(Unauthorized, cnx.commit)
 
   229 
   229 
   230     # read security test
 
   230     # read security test
 
   231 
   231 
   232     def test_read_base(self):
 
   232     def test_read_base(self):
 
   233         self.schema['Personne'].set_groups('read', ('users', 'managers'))
 
   233         self.schema['Personne'].set_action_permissions('read', ('users', 'managers'))
 
   234         cnx = self.login('anon')
 
   234         cnx = self.login('anon')
 
   235         cu = cnx.cursor()
 
   235         cu = cnx.cursor()
 
   236         self.assertRaises(Unauthorized,
 
   236         self.assertRaises(Unauthorized,
 
   237                           cu.execute, 'Personne U where U nom "managers"')
 
   237                           cu.execute, 'Personne U where U nom "managers"')
 
   238 
   238 
   279 
   279 
   280     def test_read_erqlexpr_has_text2(self):
 
   280     def test_read_erqlexpr_has_text2(self):
 
   281         self.execute("INSERT Personne X: X nom 'bidule'")
 
   281         self.execute("INSERT Personne X: X nom 'bidule'")
 
   282         self.execute("INSERT Societe X: X nom 'bidule'")
 
   282         self.execute("INSERT Societe X: X nom 'bidule'")
 
   283         self.commit()
 
   283         self.commit()
 
   284         self.schema['Personne'].set_groups('read', ('managers',))
 
   284         self.schema['Personne'].set_action_permissions('read', ('managers',))
 
   285         cnx = self.login('iaminusersgrouponly')
 
   285         cnx = self.login('iaminusersgrouponly')
 
   286         cu = cnx.cursor()
 
   286         cu = cnx.cursor()
 
   287         rset = cu.execute('Any N WHERE N has_text "bidule"')
 
   287         rset = cu.execute('Any N WHERE N has_text "bidule"')
 
   288         self.assertEquals(len(rset.rows), 1, rset.rows)
 
   288         self.assertEquals(len(rset.rows), 1, rset.rows)
 
   289         rset = cu.execute('Any N WITH N BEING (Any N WHERE N has_text "bidule")')
 
   289         rset = cu.execute('Any N WITH N BEING (Any N WHERE N has_text "bidule")')
 
   291 
   291 
   292     def test_read_erqlexpr_optional_rel(self):
 
   292     def test_read_erqlexpr_optional_rel(self):
 
   293         self.execute("INSERT Personne X: X nom 'bidule'")
 
   293         self.execute("INSERT Personne X: X nom 'bidule'")
 
   294         self.execute("INSERT Societe X: X nom 'bidule'")
 
   294         self.execute("INSERT Societe X: X nom 'bidule'")
 
   295         self.commit()
 
   295         self.commit()
 
   296         self.schema['Personne'].set_groups('read', ('managers',))
 
   296         self.schema['Personne'].set_action_permissions('read', ('managers',))
 
   297         cnx = self.login('anon')
 
   297         cnx = self.login('anon')
 
   298         cu = cnx.cursor()
 
   298         cu = cnx.cursor()
 
   299         rset = cu.execute('Any N,U WHERE N has_text "bidule", N owned_by U?')
 
   299         rset = cu.execute('Any N,U WHERE N has_text "bidule", N owned_by U?')
 
   300         self.assertEquals(len(rset.rows), 1, rset.rows)
 
   300         self.assertEquals(len(rset.rows), 1, rset.rows)
 
   301 
   301 
   369         cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid}, 'x')
 
   369         cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid}, 'x')
 
   370         cnx.commit()
 
   370         cnx.commit()
 
   371 
   371 
   372     def test_attribute_read_security(self):
 
   372     def test_attribute_read_security(self):
 
   373         # anon not allowed to see users'login, but they can see users
 
   373         # anon not allowed to see users'login, but they can see users
 
   374         self.repo.schema['CWUser'].set_groups('read', ('guests', 'users', 'managers'))
 
   374         self.repo.schema['CWUser'].set_action_permissions('read', ('guests', 'users', 'managers'))
 
   375         self.repo.schema['login'].set_groups('read', ('users', 'managers'))
 
   375         self.repo.schema['CWUser'].rdef('login').set_action_permissions('read', ('users', 'managers'))
 
   376         cnx = self.login('anon')
 
   376         cnx = self.login('anon')
 
   377         cu = cnx.cursor()
 
   377         cu = cnx.cursor()
 
   378         rset = cu.execute('CWUser X')
 
   378         rset = cu.execute('CWUser X')
 
   379         self.failUnless(rset)
 
   379         self.failUnless(rset)
 
   380         x = rset.get_entity(0, 0)
 
   380         x = rset.get_entity(0, 0)
 
   492         cnx = self.login('iaminusersgrouponly')
 
   492         cnx = self.login('iaminusersgrouponly')
 
   493         session = self.current_session()
 
   493         session = self.current_session()
 
   494         # needed to avoid check_perm error
 
   494         # needed to avoid check_perm error
 
   495         session.set_pool()
 
   495         session.set_pool()
 
   496         # needed to remove rql expr granting update perm to the user
 
   496         # needed to remove rql expr granting update perm to the user
 
   497         self.schema['Affaire'].set_rqlexprs('update', ())
 
   497         self.schema['Affaire'].set_action_permissions('update', self.schema['Affaire'].get_groups('update'))
 
   498         self.assertRaises(Unauthorized,
 
   498         self.assertRaises(Unauthorized,
 
   499                           self.schema['Affaire'].check_perm, session, 'update', eid)
 
   499                           self.schema['Affaire'].check_perm, session, 'update', eid=eid)
 
   500         cu = cnx.cursor()
 
   500         cu = cnx.cursor()
 
   501         self.schema['Affaire'].set_groups('read', ('users',))
 
   501         self.schema['Affaire'].set_action_permissions('read', ('users',))
 
   502         try:
 
   502         try:
 
   503             aff = cu.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0)
 
   503             aff = cu.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0)
 
   504             aff.fire_transition('abort')
 
   504             aff.fire_transition('abort')
 
   505             cnx.commit()
 
   505             cnx.commit()
 
   506             # though changing a user state (even logged user) is reserved to managers
 
   506             # though changing a user state (even logged user) is reserved to managers
 
   508             # XXX wether it should raise Unauthorized or ValidationError is not clear
 
   508             # XXX wether it should raise Unauthorized or ValidationError is not clear
 
   509             # the best would probably ValidationError if the transition doesn't exist
 
   509             # the best would probably ValidationError if the transition doesn't exist
 
   510             # from the current state but Unauthorized if it exists but user can't pass it
 
   510             # from the current state but Unauthorized if it exists but user can't pass it
 
   511             self.assertRaises(ValidationError, user.fire_transition, 'deactivate')
 
   511             self.assertRaises(ValidationError, user.fire_transition, 'deactivate')
 
   512         finally:
 
   512         finally:
 
   513             self.schema['Affaire'].set_groups('read', ('managers',))
 
   513             self.schema['Affaire'].set_action_permissions('read', ('managers',))
 
   514 
   514 
   515     def test_trinfo_security(self):
 
   515     def test_trinfo_security(self):
 
   516         aff = self.execute('INSERT Affaire X: X ref "ARCT01"').get_entity(0, 0)
 
   516         aff = self.execute('INSERT Affaire X: X ref "ARCT01"').get_entity(0, 0)
 
   517         self.commit()
 
   517         self.commit()
 
   518         aff.fire_transition('abort')
 
   518         aff.fire_transition('abort')
cubicweb