--- a/server/test/unittest_security.py Thu Aug 20 17:33:05 2009 +0200
+++ b/server/test/unittest_security.py Thu Aug 20 17:44:27 2009 +0200
@@ -265,7 +265,7 @@
self.commit()
cnx = self.login('iaminusersgrouponly')
cu = cnx.cursor()
- aff2 = cu.execute("INSERT Affaire X: X sujet 'cool', X in_state S WHERE S name 'pitetre'")[0][0]
+ aff2 = cu.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
soc1 = cu.execute("INSERT Societe X: X nom 'chouette'")[0][0]
cu.execute("SET A concerne S WHERE A eid %(a)s, S eid %(s)s", {'a': aff2, 's': soc1},
('a', 's'))
@@ -347,25 +347,26 @@
def test_attribute_security_rqlexpr(self):
# Note.para attribute editable by managers or if the note is in "todo" state
- eid = self.execute("INSERT Note X: X para 'bidule', X in_state S WHERE S name 'done'")[0][0]
+ note = self.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0)
self.commit()
- self.execute('SET X para "truc" WHERE X eid %(x)s', {'x': eid}, 'x')
+ note.fire_transition('markasdone')
+ self.execute('SET X para "truc" WHERE X eid %(x)s', {'x': note.eid}, 'x')
self.commit()
cnx = self.login('iaminusersgrouponly')
cu = cnx.cursor()
- cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': eid}, 'x')
+ cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note.eid}, 'x')
self.assertRaises(Unauthorized, cnx.commit)
- eid2 = cu.execute("INSERT Note X: X para 'bidule'")[0][0]
+ note2 = cu.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0)
cnx.commit()
- cu.execute("SET X in_state S WHERE X eid %(x)s, S name 'done'", {'x': eid2}, 'x')
+ note2.fire_transition('markasdone')
cnx.commit()
- self.assertEquals(len(cu.execute('Any X WHERE X in_state S, S name "todo", X eid %(x)s', {'x': eid2}, 'x')),
+ self.assertEquals(len(cu.execute('Any X WHERE X in_state S, S name "todo", X eid %(x)s', {'x': note2.eid}, 'x')),
0)
- cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': eid2}, 'x')
+ cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid}, 'x')
self.assertRaises(Unauthorized, cnx.commit)
- cu.execute("SET X in_state S WHERE X eid %(x)s, S name 'todo'", {'x': eid2}, 'x')
+ note2.fire_transition('redoit')
cnx.commit()
- cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': eid2}, 'x')
+ cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid}, 'x')
cnx.commit()
def test_attribute_read_security(self):
@@ -398,16 +399,14 @@
cu.execute('INSERT Affaire X: X ref "ARCT01", X concerne S WHERE S nom "ARCTIA"')
cnx.commit()
self.restore_connection()
- self.execute('SET X in_state S WHERE X ref "ARCT01", S name "ben non"')
+ affaire = self.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0)
+ affaire.fire_transition('abort')
self.commit()
self.assertEquals(len(self.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01"')),
- 2)
+ 1)
self.assertEquals(len(self.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01",'
'X owned_by U, U login "admin"')),
1) # TrInfo at the above state change
- self.assertEquals(len(self.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01",'
- 'X owned_by U, U login "iaminusersgrouponly"')),
- 1) # TrInfo created at creation time
cnx = self.login('iaminusersgrouponly')
cu = cnx.cursor()
cu.execute('DELETE Affaire X WHERE X ref "ARCT01"')
@@ -499,29 +498,34 @@
self.assertRaises(Unauthorized,
self.schema['Affaire'].check_perm, session, 'update', eid)
cu = cnx.cursor()
- cu.execute('SET X in_state S WHERE X ref "ARCT01", S name "ben non"')
- cnx.commit()
- # though changing a user state (even logged user) is reserved to managers
- rql = u"SET X in_state S WHERE X eid %(x)s, S name 'deactivated'"
- # XXX wether it should raise Unauthorized or ValidationError is not clear
- # the best would probably ValidationError if the transition doesn't exist
- # from the current state but Unauthorized if it exists but user can't pass it
- self.assertRaises(ValidationError, cu.execute, rql, {'x': cnx.user(self.current_session()).eid}, 'x')
+ self.schema['Affaire'].set_groups('read', ('users',))
+ try:
+ aff = cu.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0)
+ aff.fire_transition('abort')
+ cnx.commit()
+ # though changing a user state (even logged user) is reserved to managers
+ user = cnx.user(self.current_session())
+ # XXX wether it should raise Unauthorized or ValidationError is not clear
+ # the best would probably ValidationError if the transition doesn't exist
+ # from the current state but Unauthorized if it exists but user can't pass it
+ self.assertRaises(ValidationError, user.fire_transition, 'deactivate')
+ finally:
+ self.schema['Affaire'].set_groups('read', ('managers',))
def test_trinfo_security(self):
aff = self.execute('INSERT Affaire X: X ref "ARCT01"').get_entity(0, 0)
self.commit()
+ aff.fire_transition('abort')
+ self.commit()
# can change tr info comment
self.execute('SET TI comment %(c)s WHERE TI wf_info_for X, X ref "ARCT01"',
- {'c': u'creation'})
+ {'c': u'bouh!'})
self.commit()
aff.clear_related_cache('wf_info_for', 'object')
- self.assertEquals(aff.latest_trinfo().comment, 'creation')
+ trinfo = aff.latest_trinfo()
+ self.assertEquals(trinfo.comment, 'bouh!')
# but not from_state/to_state
- self.execute('SET X in_state S WHERE X ref "ARCT01", S name "ben non"')
- self.commit()
aff.clear_related_cache('wf_info_for', role='object')
- trinfo = aff.latest_trinfo()
self.assertRaises(Unauthorized,
self.execute, 'SET TI from_state S WHERE TI eid %(ti)s, S name "ben non"',
{'ti': trinfo.eid}, 'ti')