506 # XXX wether it should raise Unauthorized or ValidationError is not clear |
506 # XXX wether it should raise Unauthorized or ValidationError is not clear |
507 # the best would probably ValidationError if the transition doesn't exist |
507 # the best would probably ValidationError if the transition doesn't exist |
508 # from the current state but Unauthorized if it exists but user can't pass it |
508 # from the current state but Unauthorized if it exists but user can't pass it |
509 self.assertRaises(ValidationError, cu.execute, rql, {'x': cnx.user(self.current_session()).eid}, 'x') |
509 self.assertRaises(ValidationError, cu.execute, rql, {'x': cnx.user(self.current_session()).eid}, 'x') |
510 |
510 |
|
511 def test_trinfo_security(self): |
|
512 aff = self.execute('INSERT Affaire X: X ref "ARCT01"').get_entity(0, 0) |
|
513 self.commit() |
|
514 # can change tr info comment |
|
515 self.execute('SET TI comment %(c)s WHERE TI wf_info_for X, X ref "ARCT01"', |
|
516 {'c': u'creation'}) |
|
517 self.commit() |
|
518 self.assertEquals(aff.latest_trinfo().comment, 'creation') |
|
519 # but not from_state/to_state |
|
520 self.execute('SET X in_state S WHERE X ref "ARCT01", S name "ben non"') |
|
521 self.commit() |
|
522 aff.clear_related_cache('wf_info_for', role='object') |
|
523 trinfo = aff.latest_trinfo() |
|
524 self.assertRaises(Unauthorized, |
|
525 self.execute, 'SET TI from_state S WHERE TI eid %(ti)s, S name "ben non"', |
|
526 {'ti': trinfo.eid}, 'ti') |
|
527 self.assertRaises(Unauthorized, |
|
528 self.execute, 'SET TI to_state S WHERE TI eid %(ti)s, S name "pitetre"', |
|
529 {'ti': trinfo.eid}, 'ti') |
|
530 |
511 if __name__ == '__main__': |
531 if __name__ == '__main__': |
512 unittest_main() |
532 unittest_main() |