--- a/server/test/unittest_security.py Wed Nov 26 17:39:59 2014 +0100
+++ b/server/test/unittest_security.py Wed Jan 21 15:58:33 2015 +0100
@@ -112,6 +112,14 @@
self.assertRaises(Unauthorized, self.commit)
self.assertEqual(cu.execute('Personne X').rowcount, 1)
+ def test_insert_security_2(self):
+ with self.login('anon') as cu:
+ cu.execute("INSERT Affaire X")
+ self.assertRaises(Unauthorized, self.commit)
+ # anon has no read permission on Affaire entities, so
+ # rowcount == 0
+ self.assertEqual(cu.execute('Affaire X').rowcount, 0)
+
def test_insert_rql_permission(self):
# test user can only add une affaire related to a societe he owns
with self.login('iaminusersgrouponly') as cu: