312 from cubicweb import Binary |
312 from cubicweb import Binary |
313 |
313 |
314 class SecurityTC(CubicWebTC): |
314 class SecurityTC(CubicWebTC): |
315 |
315 |
316 def test_visibility_propagation(self): |
316 def test_visibility_propagation(self): |
317 # create a user for later security checks |
317 |
318 toto = self.create_user('toto') |
318 with self.admin_access.repo_cnx() as cnx: |
319 # init some data using the default manager connection |
319 # create a user for later security checks |
320 req = self.request() |
320 toto = self.create_user(cnx, 'toto') |
321 folder = req.create_entity('Folder', |
321 cnx.commit() |
322 name=u'restricted', |
322 # init some data using the default manager connection |
323 visibility=u'restricted') |
323 folder = cnx.create_entity('Folder', |
324 photo1 = req.create_entity('File', |
324 name=u'restricted', |
325 data_name=u'photo1.jpg', |
325 visibility=u'restricted') |
326 data=Binary('xxx'), |
326 photo1 = cnx.create_entity('File', |
327 filed_under=folder) |
327 data_name=u'photo1.jpg', |
328 self.commit() |
328 data=Binary('xxx'), |
329 photo1.clear_all_caches() # good practice, avoid request cache effects |
329 filed_under=folder) |
330 # visibility propagation |
330 cnx.commit() |
331 self.assertEquals(photo1.visibility, 'restricted') |
331 # visibility propagation |
332 # unless explicitly specified |
332 self.assertEquals(photo1.visibility, 'restricted') |
333 photo2 = req.create_entity('File', |
333 # unless explicitly specified |
334 data_name=u'photo2.jpg', |
334 photo2 = cnx.create_entity('File', |
335 data=Binary('xxx'), |
335 data_name=u'photo2.jpg', |
336 visibility=u'public', |
336 data=Binary('xxx'), |
337 filed_under=folder) |
337 visibility=u'public', |
338 self.commit() |
338 filed_under=folder) |
339 self.assertEquals(photo2.visibility, 'public') |
339 cnx.commit() |
340 # test security |
340 self.assertEquals(photo2.visibility, 'public') |
341 self.login('toto') |
341 |
342 req = self.request() |
342 with self.new_access('toto').repo_cnx() as cnx: |
343 self.assertEquals(len(req.execute('File X')), 1) # only the public one |
343 # test security |
344 self.assertEquals(len(req.execute('Folder X')), 0) # restricted... |
344 self.assertEqual(1, len(cnx.execute('File X'))) # only the public one |
345 # may_be_read_by propagation |
345 self.assertEqual(0, len(cnx.execute('Folder X'))) # restricted... |
346 self.restore_connection() |
346 # may_be_read_by propagation |
347 folder.cw_set(may_be_read_by=toto) |
347 folder = cnx.entity_from_eid(folder.eid) |
348 self.commit() |
348 folder.cw_set(may_be_read_by=toto) |
349 photo1.clear_all_caches() |
349 cnx.commit() |
350 self.failUnless(photo1.may_be_read_by) |
350 photo1 = cnx.entity_from_eid(photo1) |
351 # test security with permissions |
351 self.failUnless(photo1.may_be_read_by) |
352 self.login('toto') |
352 # test security with permissions |
353 req = self.request() |
353 self.assertEquals(2, len(cnx.execute('File X'))) # now toto has access to photo2 |
354 self.assertEquals(len(req.execute('File X')), 2) # now toto has access to photo2 |
354 self.assertEquals(1, len(cnx.execute('Folder X'))) # and to restricted folder |
355 self.assertEquals(len(req.execute('Folder X')), 1) # and to restricted folder |
|
356 |
355 |
357 if __name__ == '__main__': |
356 if __name__ == '__main__': |
358 from logilab.common.testlib import unittest_main |
357 from logilab.common.testlib import unittest_main |
359 unittest_main() |
358 unittest_main() |
360 |
359 |