12 class BaseSecurityTC(CubicWebTC): |
12 class BaseSecurityTC(CubicWebTC): |
13 |
13 |
14 def setUp(self): |
14 def setUp(self): |
15 CubicWebTC.setUp(self) |
15 CubicWebTC.setUp(self) |
16 self.create_user('iaminusersgrouponly') |
16 self.create_user('iaminusersgrouponly') |
17 self.readoriggroups = self.schema['Personne'].get_groups('read') |
17 self.readoriggroups = self.schema['Personne'].permissions['read'] |
18 self.addoriggroups = self.schema['Personne'].get_groups('add') |
18 self.addoriggroups = self.schema['Personne'].permissions['add'] |
19 |
19 |
20 def tearDown(self): |
20 def tearDown(self): |
21 CubicWebTC.tearDown(self) |
21 CubicWebTC.tearDown(self) |
22 self.schema['Personne'].set_groups('read', self.readoriggroups) |
22 self.schema['Personne'].set_action_permissions('read', self.readoriggroups) |
23 self.schema['Personne'].set_groups('add', self.addoriggroups) |
23 self.schema['Personne'].set_action_permissions('add', self.addoriggroups) |
24 |
24 |
25 |
25 |
26 class LowLevelSecurityFunctionTC(BaseSecurityTC): |
26 class LowLevelSecurityFunctionTC(BaseSecurityTC): |
27 |
27 |
28 def test_check_read_access(self): |
28 def test_check_read_access(self): |
29 rql = u'Personne U where U nom "managers"' |
29 rql = u'Personne U where U nom "managers"' |
30 rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0] |
30 rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0] |
31 origgroups = self.schema['Personne'].get_groups('read') |
31 origgroups = self.schema['Personne'].get_groups('read') |
32 self.schema['Personne'].set_groups('read', ('users', 'managers')) |
32 self.schema['Personne'].set_action_permissions('read', ('users', 'managers')) |
33 self.repo.vreg.rqlhelper.compute_solutions(rqlst) |
33 self.repo.vreg.rqlhelper.compute_solutions(rqlst) |
34 solution = rqlst.solutions[0] |
34 solution = rqlst.solutions[0] |
35 check_read_access(self.schema, self.session.user, rqlst, solution) |
35 check_read_access(self.schema, self.session.user, rqlst, solution) |
36 cnx = self.login('anon') |
36 cnx = self.login('anon') |
37 cu = cnx.cursor() |
37 cu = cnx.cursor() |
94 self.assertEquals(self.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0) |
94 self.assertEquals(self.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0) |
95 |
95 |
96 def test_update_security_2(self): |
96 def test_update_security_2(self): |
97 cnx = self.login('anon') |
97 cnx = self.login('anon') |
98 cu = cnx.cursor() |
98 cu = cnx.cursor() |
99 self.repo.schema['Personne'].set_groups('read', ('users', 'managers')) |
99 self.repo.schema['Personne'].set_action_permissions('read', ('users', 'managers')) |
100 self.repo.schema['Personne'].set_groups('add', ('guests', 'users', 'managers')) |
100 self.repo.schema['Personne'].set_action_permissions('add', ('guests', 'users', 'managers')) |
101 self.assertRaises(Unauthorized, cu.execute, "SET X nom 'bidulechouette' WHERE X is Personne") |
101 self.assertRaises(Unauthorized, cu.execute, "SET X nom 'bidulechouette' WHERE X is Personne") |
102 #self.assertRaises(Unauthorized, cnx.commit) |
102 #self.assertRaises(Unauthorized, cnx.commit) |
103 # test nothing has actually been inserted |
103 # test nothing has actually been inserted |
104 self.restore_connection() |
104 self.restore_connection() |
105 self.assertEquals(self.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0) |
105 self.assertEquals(self.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0) |
175 rset = cu.execute('Personne P') |
175 rset = cu.execute('Personne P') |
176 self.assertEquals(len(rset), 1) |
176 self.assertEquals(len(rset), 1) |
177 ent = rset.get_entity(0, 0) |
177 ent = rset.get_entity(0, 0) |
178 session.set_pool() # necessary |
178 session.set_pool() # necessary |
179 self.assertRaises(Unauthorized, |
179 self.assertRaises(Unauthorized, |
180 ent.e_schema.check_perm, session, 'update', ent.eid) |
180 ent.e_schema.check_perm, session, 'update', eid=ent.eid) |
181 self.assertRaises(Unauthorized, |
181 self.assertRaises(Unauthorized, |
182 cu.execute, "SET P travaille S WHERE P is Personne, S is Societe") |
182 cu.execute, "SET P travaille S WHERE P is Personne, S is Societe") |
183 # test nothing has actually been inserted: |
183 # test nothing has actually been inserted: |
184 self.assertEquals(cu.execute('Any P,S WHERE P travaille S,P is Personne, S is Societe').rowcount, 0) |
184 self.assertEquals(cu.execute('Any P,S WHERE P travaille S,P is Personne, S is Societe').rowcount, 0) |
185 cu.execute("INSERT Societe X: X nom 'chouette'") |
185 cu.execute("INSERT Societe X: X nom 'chouette'") |
228 self.assertRaises(Unauthorized, cnx.commit) |
228 self.assertRaises(Unauthorized, cnx.commit) |
229 |
229 |
230 # read security test |
230 # read security test |
231 |
231 |
232 def test_read_base(self): |
232 def test_read_base(self): |
233 self.schema['Personne'].set_groups('read', ('users', 'managers')) |
233 self.schema['Personne'].set_action_permissions('read', ('users', 'managers')) |
234 cnx = self.login('anon') |
234 cnx = self.login('anon') |
235 cu = cnx.cursor() |
235 cu = cnx.cursor() |
236 self.assertRaises(Unauthorized, |
236 self.assertRaises(Unauthorized, |
237 cu.execute, 'Personne U where U nom "managers"') |
237 cu.execute, 'Personne U where U nom "managers"') |
238 |
238 |
279 |
279 |
280 def test_read_erqlexpr_has_text2(self): |
280 def test_read_erqlexpr_has_text2(self): |
281 self.execute("INSERT Personne X: X nom 'bidule'") |
281 self.execute("INSERT Personne X: X nom 'bidule'") |
282 self.execute("INSERT Societe X: X nom 'bidule'") |
282 self.execute("INSERT Societe X: X nom 'bidule'") |
283 self.commit() |
283 self.commit() |
284 self.schema['Personne'].set_groups('read', ('managers',)) |
284 self.schema['Personne'].set_action_permissions('read', ('managers',)) |
285 cnx = self.login('iaminusersgrouponly') |
285 cnx = self.login('iaminusersgrouponly') |
286 cu = cnx.cursor() |
286 cu = cnx.cursor() |
287 rset = cu.execute('Any N WHERE N has_text "bidule"') |
287 rset = cu.execute('Any N WHERE N has_text "bidule"') |
288 self.assertEquals(len(rset.rows), 1, rset.rows) |
288 self.assertEquals(len(rset.rows), 1, rset.rows) |
289 rset = cu.execute('Any N WITH N BEING (Any N WHERE N has_text "bidule")') |
289 rset = cu.execute('Any N WITH N BEING (Any N WHERE N has_text "bidule")') |
291 |
291 |
292 def test_read_erqlexpr_optional_rel(self): |
292 def test_read_erqlexpr_optional_rel(self): |
293 self.execute("INSERT Personne X: X nom 'bidule'") |
293 self.execute("INSERT Personne X: X nom 'bidule'") |
294 self.execute("INSERT Societe X: X nom 'bidule'") |
294 self.execute("INSERT Societe X: X nom 'bidule'") |
295 self.commit() |
295 self.commit() |
296 self.schema['Personne'].set_groups('read', ('managers',)) |
296 self.schema['Personne'].set_action_permissions('read', ('managers',)) |
297 cnx = self.login('anon') |
297 cnx = self.login('anon') |
298 cu = cnx.cursor() |
298 cu = cnx.cursor() |
299 rset = cu.execute('Any N,U WHERE N has_text "bidule", N owned_by U?') |
299 rset = cu.execute('Any N,U WHERE N has_text "bidule", N owned_by U?') |
300 self.assertEquals(len(rset.rows), 1, rset.rows) |
300 self.assertEquals(len(rset.rows), 1, rset.rows) |
301 |
301 |
369 cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid}, 'x') |
369 cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid}, 'x') |
370 cnx.commit() |
370 cnx.commit() |
371 |
371 |
372 def test_attribute_read_security(self): |
372 def test_attribute_read_security(self): |
373 # anon not allowed to see users'login, but they can see users |
373 # anon not allowed to see users'login, but they can see users |
374 self.repo.schema['CWUser'].set_groups('read', ('guests', 'users', 'managers')) |
374 self.repo.schema['CWUser'].set_action_permissions('read', ('guests', 'users', 'managers')) |
375 self.repo.schema['login'].set_groups('read', ('users', 'managers')) |
375 self.repo.schema['CWUser'].rdef('login').set_action_permissions('read', ('users', 'managers')) |
376 cnx = self.login('anon') |
376 cnx = self.login('anon') |
377 cu = cnx.cursor() |
377 cu = cnx.cursor() |
378 rset = cu.execute('CWUser X') |
378 rset = cu.execute('CWUser X') |
379 self.failUnless(rset) |
379 self.failUnless(rset) |
380 x = rset.get_entity(0, 0) |
380 x = rset.get_entity(0, 0) |
492 cnx = self.login('iaminusersgrouponly') |
492 cnx = self.login('iaminusersgrouponly') |
493 session = self.session |
493 session = self.session |
494 # needed to avoid check_perm error |
494 # needed to avoid check_perm error |
495 session.set_pool() |
495 session.set_pool() |
496 # needed to remove rql expr granting update perm to the user |
496 # needed to remove rql expr granting update perm to the user |
497 self.schema['Affaire'].set_rqlexprs('update', ()) |
497 self.schema['Affaire'].set_action_permissions('update', self.schema['Affaire'].get_groups('update')) |
498 self.assertRaises(Unauthorized, |
498 self.assertRaises(Unauthorized, |
499 self.schema['Affaire'].check_perm, session, 'update', eid) |
499 self.schema['Affaire'].check_perm, session, 'update', eid=eid) |
500 cu = cnx.cursor() |
500 cu = cnx.cursor() |
501 self.schema['Affaire'].set_groups('read', ('users',)) |
501 self.schema['Affaire'].set_action_permissions('read', ('users',)) |
502 try: |
502 try: |
503 aff = cu.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0) |
503 aff = cu.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0) |
504 aff.fire_transition('abort') |
504 aff.fire_transition('abort') |
505 cnx.commit() |
505 cnx.commit() |
506 # though changing a user state (even logged user) is reserved to managers |
506 # though changing a user state (even logged user) is reserved to managers |
508 # XXX wether it should raise Unauthorized or ValidationError is not clear |
508 # XXX wether it should raise Unauthorized or ValidationError is not clear |
509 # the best would probably ValidationError if the transition doesn't exist |
509 # the best would probably ValidationError if the transition doesn't exist |
510 # from the current state but Unauthorized if it exists but user can't pass it |
510 # from the current state but Unauthorized if it exists but user can't pass it |
511 self.assertRaises(ValidationError, user.fire_transition, 'deactivate') |
511 self.assertRaises(ValidationError, user.fire_transition, 'deactivate') |
512 finally: |
512 finally: |
513 self.schema['Affaire'].set_groups('read', ('managers',)) |
513 self.schema['Affaire'].set_action_permissions('read', ('managers',)) |
514 |
514 |
515 def test_trinfo_security(self): |
515 def test_trinfo_security(self): |
516 aff = self.execute('INSERT Affaire X: X ref "ARCT01"').get_entity(0, 0) |
516 aff = self.execute('INSERT Affaire X: X ref "ARCT01"').get_entity(0, 0) |
517 self.commit() |
517 self.commit() |
518 aff.fire_transition('abort') |
518 aff.fire_transition('abort') |