[hooks/security] provide attribute "add" permission
As of today, the update permission on attributes is checked at entity
*creation* time. This forbids using update permissions the proper way.
We set it to be checked at entity update time only.
We introduce a specific 'add' permission rule for attributes.
For backward compatibility, its default value will be the same as the
current 'update' permission.
Notes:
* needs a new yams version (ticket #149216)
* introduces two new 'add_permissions' rdefs (attribute - group|rqlexpr)
* if the update permission was () and the bw compat kicks in, the rule
is not enforced, to avoid un-creatable entity types -- this
restriction will be lifted when the bw compat is gone
* small internal refactoring on check_entity_attributes
* one small pre 3.6.1 bw compat snippet must be removed from schemaserial
Closes #2965518.
# copyright 2003-2012 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
#
# This file is part of CubicWeb.
#
# CubicWeb is free software: you can redistribute it and/or modify it under the
# terms of the GNU Lesser General Public License as published by the Free
# Software Foundation, either version 2.1 of the License, or (at your option)
# any later version.
#
# CubicWeb is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
# details.
#
# You should have received a copy of the GNU Lesser General Public License along
# with CubicWeb. If not, see <http://www.gnu.org/licenses/>.
from cubicweb.devtools.testlib import CubicWebTC
from cubicweb.server.session import HOOKS_ALLOW_ALL, HOOKS_DENY_ALL
class InternalSessionTC(CubicWebTC):
def test_dbapi_query(self):
session = self.repo.internal_session()
self.assertFalse(session.running_dbapi_query)
session.close()
def test_integrity_hooks(self):
with self.repo.internal_session() as session:
self.assertEqual(HOOKS_ALLOW_ALL, session.hooks_mode)
self.assertEqual(set(('integrity',)), session.disabled_hook_categories)
self.assertEqual(set(), session.enabled_hook_categories)
session.commit()
self.assertEqual(HOOKS_ALLOW_ALL, session.hooks_mode)
self.assertEqual(set(('integrity',)), session.disabled_hook_categories)
self.assertEqual(set(), session.enabled_hook_categories)
class SessionTC(CubicWebTC):
def test_hooks_control(self):
session = self.session
self.assertEqual(HOOKS_ALLOW_ALL, session.hooks_mode)
self.assertEqual(set(), session.disabled_hook_categories)
self.assertEqual(set(), session.enabled_hook_categories)
self.assertEqual(1, len(session._txs))
with session.deny_all_hooks_but('metadata'):
self.assertEqual(HOOKS_DENY_ALL, session.hooks_mode)
self.assertEqual(set(), session.disabled_hook_categories)
self.assertEqual(set(('metadata',)), session.enabled_hook_categories)
session.commit()
self.assertEqual(HOOKS_DENY_ALL, session.hooks_mode)
self.assertEqual(set(), session.disabled_hook_categories)
self.assertEqual(set(('metadata',)), session.enabled_hook_categories)
session.rollback()
self.assertEqual(HOOKS_DENY_ALL, session.hooks_mode)
self.assertEqual(set(), session.disabled_hook_categories)
self.assertEqual(set(('metadata',)), session.enabled_hook_categories)
with session.allow_all_hooks_but('integrity'):
self.assertEqual(HOOKS_ALLOW_ALL, session.hooks_mode)
self.assertEqual(set(('integrity',)), session.disabled_hook_categories)
self.assertEqual(set(('metadata',)), session.enabled_hook_categories) # not changed in such case
self.assertEqual(HOOKS_DENY_ALL, session.hooks_mode)
self.assertEqual(set(), session.disabled_hook_categories)
self.assertEqual(set(('metadata',)), session.enabled_hook_categories)
# leaving context manager with no transaction running should reset the
# transaction local storage (and associated cnxset)
self.assertEqual({}, session._txs)
self.assertEqual(None, session.cnxset)
self.assertEqual(HOOKS_ALLOW_ALL, session.hooks_mode, session.HOOKS_ALLOW_ALL)
self.assertEqual(set(), session.disabled_hook_categories)
self.assertEqual(set(), session.enabled_hook_categories)
if __name__ == '__main__':
from logilab.common.testlib import unittest_main
unittest_main()