diff -r 1d25e928c299 -r 69c0ba095536 test/unittest_entity.py --- a/test/unittest_entity.py Tue Sep 15 15:01:41 2009 +0200 +++ b/test/unittest_entity.py Thu Sep 17 15:16:53 2009 +0200 @@ -9,19 +9,13 @@ from datetime import datetime -from cubicweb import Binary +from cubicweb import Binary, Unauthorized from cubicweb.devtools.testlib import CubicWebTC from cubicweb.common.mttransforms import HAS_TAL +from cubicweb.entities import fetch_config class EntityTC(CubicWebTC): -## def setup_database(self): -## self.add_entity('Personne', nom=u'di mascio', prenom=u'adrien') -## self.add_entity('Task', title=u'fait ca !', description=u'et plus vite', start=now()) -## self.add_entity('Tag', name=u'x') -## self.add_entity('Link', title=u'perdu', url=u'http://www.perdu.com', -## embed=False) - def test_boolean_value(self): e = self.vreg['etypes'].etype_class('CWUser')(self.request()) self.failUnless(e) @@ -179,7 +173,6 @@ Societe.fetch_attrs = sfetch_attrs def test_related_rql(self): - from cubicweb.entities import fetch_config Personne = self.vreg['etypes'].etype_class('Personne') Note = self.vreg['etypes'].etype_class('Note') self.failUnless(issubclass(self.vreg['etypes'].etype_class('SubNote'), Note)) @@ -194,7 +187,40 @@ self.assertEquals(p.related_rql('evaluee'), 'Any X,AA ORDERBY Z DESC WHERE X modification_date Z, E eid %(x)s, E evaluee X, X modification_date AA') - def test_entity_unrelated(self): + def test_unrelated_rql_security_1(self): + user = self.request().user + rql = user.unrelated_rql('use_email', 'EmailAddress', 'subject')[0] + self.assertEquals(rql, 'Any O,AA,AB,AC ORDERBY AC DESC ' + 'WHERE NOT S use_email O, S eid %(x)s, O is EmailAddress, O address AA, O alias AB, O modification_date AC') + self.create_user('toto') + self.login('toto') + user = self.request().user + rql = user.unrelated_rql('use_email', 'EmailAddress', 'subject')[0] + self.assertEquals(rql, 'Any O,AA,AB,AC ORDERBY AC DESC ' + 'WHERE NOT S use_email O, S eid %(x)s, O is EmailAddress, O address AA, O alias AB, O modification_date AC') + user = self.execute('Any X WHERE X login "admin"').get_entity(0, 0) + self.assertRaises(Unauthorized, user.unrelated_rql, 'use_email', 'EmailAddress', 'subject') + self.login('anon') + user = self.request().user + self.assertRaises(Unauthorized, user.unrelated_rql, 'use_email', 'EmailAddress', 'subject') + + def test_unrelated_rql_security_2(self): + email = self.execute('INSERT EmailAddress X: X address "hop"').get_entity(0, 0) + rql = email.unrelated_rql('use_email', 'CWUser', 'object')[0] + self.assertEquals(rql, 'Any S,AA,AB,AC,AD ORDERBY AA ASC ' + 'WHERE NOT S use_email O, O eid %(x)s, S is CWUser, S login AA, S firstname AB, S surname AC, S modification_date AD') + #rql = email.unrelated_rql('use_email', 'Person', 'object')[0] + #self.assertEquals(rql, '') + self.login('anon') + email = self.execute('Any X WHERE X eid %(x)s', {'x': email.eid}, 'x').get_entity(0, 0) + rql = email.unrelated_rql('use_email', 'CWUser', 'object')[0] + self.assertEquals(rql, 'Any S,AA,AB,AC,AD ORDERBY AA ' + 'WHERE NOT S use_email O, O eid %(x)s, S is CWUser, S login AA, S firstname AB, S surname AC, S modification_date AD, ' + 'A eid %(B)s, EXISTS(S identity A, NOT A in_group C, C name "guests", C is CWGroup)') + #rql = email.unrelated_rql('use_email', 'Person', 'object')[0] + #self.assertEquals(rql, '') + + def test_unrelated_base(self): p = self.add_entity('Personne', nom=u'di mascio', prenom=u'adrien') e = self.add_entity('Tag', name=u'x') related = [r.eid for r in e.tags] @@ -206,14 +232,40 @@ unrelated = [r[0] for r in e.unrelated('tags', 'Personne', 'subject')] self.failIf(p.eid in unrelated) - def test_entity_unrelated_limit(self): + def test_unrelated_limit(self): e = self.add_entity('Tag', name=u'x') self.add_entity('Personne', nom=u'di mascio', prenom=u'adrien') - self.add_entity('Personne', nom=u'di mascio', prenom=u'gwen') + self.add_entity('Personne', nom=u'thenault', prenom=u'sylvain') self.assertEquals(len(e.unrelated('tags', 'Personne', 'subject', limit=1)), 1) - def test_new_entity_unrelated(self): + def test_unrelated_security(self): + email = self.execute('INSERT EmailAddress X: X address "hop"').get_entity(0, 0) + rset = email.unrelated('use_email', 'CWUser', 'object') + self.assertEquals([x.login for x in rset.entities()], [u'admin', u'anon']) + user = self.request().user + rset = user.unrelated('use_email', 'EmailAddress', 'subject') + self.assertEquals([x.address for x in rset.entities()], [u'hop']) + self.create_user('toto') + self.login('toto') + email = self.execute('Any X WHERE X eid %(x)s', {'x': email.eid}, 'x').get_entity(0, 0) + rset = email.unrelated('use_email', 'CWUser', 'object') + self.assertEquals([x.login for x in rset.entities()], ['toto']) + user = self.request().user + rset = user.unrelated('use_email', 'EmailAddress', 'subject') + self.assertEquals([x.address for x in rset.entities()], ['hop']) + user = self.execute('Any X WHERE X login "admin"').get_entity(0, 0) + rset = user.unrelated('use_email', 'EmailAddress', 'subject') + self.assertEquals([x.address for x in rset.entities()], []) + self.login('anon') + email = self.execute('Any X WHERE X eid %(x)s', {'x': email.eid}, 'x').get_entity(0, 0) + rset = email.unrelated('use_email', 'CWUser', 'object') + self.assertEquals([x.login for x in rset.entities()], []) + user = self.request().user + rset = user.unrelated('use_email', 'EmailAddress', 'subject') + self.assertEquals([x.address for x in rset.entities()], []) + + def test_unrelated_new_entity(self): e = self.vreg['etypes'].etype_class('CWUser')(self.request()) unrelated = [r[0] for r in e.unrelated('in_group', 'CWGroup', 'subject')] # should be default groups but owners, i.e. managers, users, guests