diff -r 49075f57cf2c -r aa09e20dd8c0 server/test/unittest_security.py --- a/server/test/unittest_security.py Tue May 05 17:18:49 2009 +0200 +++ b/server/test/unittest_security.py Thu May 14 12:48:11 2009 +0200 @@ -15,15 +15,15 @@ self.create_user('iaminusersgrouponly') self.readoriggroups = self.schema['Personne'].get_groups('read') self.addoriggroups = self.schema['Personne'].get_groups('add') - + def tearDown(self): RepositoryBasedTC.tearDown(self) self.schema['Personne'].set_groups('read', self.readoriggroups) self.schema['Personne'].set_groups('add', self.addoriggroups) - + class LowLevelSecurityFunctionTC(BaseSecurityTC): - + def test_check_read_access(self): rql = u'Personne U where U nom "managers"' rqlst = self.repo.querier._rqlhelper.parse(rql).children[0] @@ -38,26 +38,26 @@ check_read_access, self.schema, cnx.user(self.current_session()), rqlst, solution) self.assertRaises(Unauthorized, cu.execute, rql) - + def test_upassword_not_selectable(self): self.assertRaises(Unauthorized, - self.execute, 'Any X,P WHERE X is EUser, X upassword P') + self.execute, 'Any X,P WHERE X is CWUser, X upassword P') self.rollback() cnx = self.login('iaminusersgrouponly') cu = cnx.cursor() self.assertRaises(Unauthorized, - cu.execute, 'Any X,P WHERE X is EUser, X upassword P') - - + cu.execute, 'Any X,P WHERE X is CWUser, X upassword P') + + class SecurityTC(BaseSecurityTC): - + def setUp(self): BaseSecurityTC.setUp(self) # implicitly test manager can add some entities self.execute("INSERT Affaire X: X sujet 'cool'") self.execute("INSERT Societe X: X nom 'logilab'") self.execute("INSERT Personne X: X nom 'bidule'") - self.execute('INSERT EGroup X: X name "staff"') + self.execute('INSERT CWGroup X: X name "staff"') self.commit() def test_insert_security(self): @@ -66,7 +66,7 @@ cu.execute("INSERT Personne X: X nom 'bidule'") self.assertRaises(Unauthorized, cnx.commit) self.assertEquals(cu.execute('Personne X').rowcount, 1) - + def test_insert_rql_permission(self): # test user can only add une affaire related to a societe he owns cnx = self.login('iaminusersgrouponly') @@ -82,7 +82,7 @@ cu.execute("INSERT Societe X: X nom 'chouette'") cu.execute("SET A concerne S WHERE A sujet 'cool', S nom 'chouette'") cnx.commit() - + def test_update_security_1(self): cnx = self.login('anon') cu = cnx.cursor() @@ -91,7 +91,7 @@ self.assertRaises(Unauthorized, cnx.commit) self.restore_connection() self.assertEquals(self.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0) - + def test_update_security_2(self): cnx = self.login('anon') cu = cnx.cursor() @@ -109,7 +109,7 @@ cu.execute("INSERT Personne X: X nom 'biduuule'") cu.execute("INSERT Societe X: X nom 'looogilab'") cu.execute("SET X travaille S WHERE X nom 'biduuule', S nom 'looogilab'") - + def test_update_rql_permission(self): self.execute("SET A concerne S WHERE A is Affaire, S is Societe") self.commit() @@ -121,32 +121,32 @@ cnx.commit() # to actually get Unauthorized exception, try to update an entity we can read cu.execute("SET X nom 'toto' WHERE X is Societe") - self.assertRaises(Unauthorized, cnx.commit) + self.assertRaises(Unauthorized, cnx.commit) cu.execute("INSERT Affaire X: X sujet 'pascool'") cu.execute("INSERT Societe X: X nom 'chouette'") cu.execute("SET A concerne S WHERE A sujet 'pascool', S nom 'chouette'") cu.execute("SET X sujet 'habahsicestcool' WHERE X sujet 'pascool'") cnx.commit() - + def test_delete_security(self): # FIXME: sample below fails because we don't detect "owner" can't delete # user anyway, and since no user with login == 'bidule' exists, no # exception is raised #user._groups = {'guests':1} #self.assertRaises(Unauthorized, - # self.o.execute, user, "DELETE EUser X WHERE X login 'bidule'") + # self.o.execute, user, "DELETE CWUser X WHERE X login 'bidule'") # check local security cnx = self.login('iaminusersgrouponly') cu = cnx.cursor() - self.assertRaises(Unauthorized, cu.execute, "DELETE EGroup Y WHERE Y name 'staff'") - + self.assertRaises(Unauthorized, cu.execute, "DELETE CWGroup Y WHERE Y name 'staff'") + def test_delete_rql_permission(self): self.execute("SET A concerne S WHERE A is Affaire, S is Societe") self.commit() # test user can only dele une affaire related to a societe he owns cnx = self.login('iaminusersgrouponly') cu = cnx.cursor() - # this won't actually do anything since the selection query won't return anything + # this won't actually do anything since the selection query won't return anything cu.execute("DELETE Affaire X") cnx.commit() # to actually get Unauthorized exception, try to delete an entity we can read @@ -227,7 +227,7 @@ self.assertRaises(Unauthorized, cnx.commit) # read security test - + def test_read_base(self): self.schema['Personne'].set_groups('read', ('users', 'managers')) cnx = self.login('anon') @@ -256,7 +256,7 @@ self.assertEquals(rset.rows, [[aff2]]) rset = cu.execute('Affaire X WHERE NOT X eid %(x)s', {'x': aff2}, 'x') self.assertEquals(rset.rows, []) - + def test_read_erqlexpr_has_text1(self): aff1 = self.execute("INSERT Affaire X: X sujet 'cool'")[0][0] card1 = self.execute("INSERT Card X: X title 'cool'")[0][0] @@ -286,7 +286,7 @@ rset = cu.execute('Any N WHERE N has_text "bidule"') self.assertEquals(len(rset.rows), 1, rset.rows) rset = cu.execute('Any N WITH N BEING (Any N WHERE N has_text "bidule")') - self.assertEquals(len(rset.rows), 1, rset.rows) + self.assertEquals(len(rset.rows), 1, rset.rows) def test_read_erqlexpr_optional_rel(self): self.execute("INSERT Personne X: X nom 'bidule'") @@ -304,7 +304,7 @@ cnx = self.login('iaminusersgrouponly') cu = cnx.cursor() rset = cu.execute('Any COUNT(X) WHERE X is Affaire') - self.assertEquals(rset.rows, [[0]]) + self.assertEquals(rset.rows, [[0]]) aff2 = cu.execute("INSERT Affaire X: X sujet 'cool'")[0][0] soc1 = cu.execute("INSERT Societe X: X nom 'chouette'")[0][0] cu.execute("SET A concerne S WHERE A is Affaire, S is Societe") @@ -320,7 +320,7 @@ values = dict(rset) self.assertEquals(values['Affaire'], 1) self.assertEquals(values['Societe'], 2) - + def test_attribute_security(self): # only managers should be able to edit the 'test' attribute of Personne entities @@ -343,7 +343,7 @@ cu.execute('SET X web "http://www.logilab.org" WHERE X eid %(x)s', {'x': eid}, 'x') cnx.commit() cnx.close() - + def test_attribute_security_rqlexpr(self): # Note.para attribute editable by managers or if the note is in "todo" state eid = self.execute("INSERT Note X: X para 'bidule', X in_state S WHERE S name 'done'")[0][0] @@ -369,11 +369,11 @@ def test_attribute_read_security(self): # anon not allowed to see users'login, but they can see users - self.repo.schema['EUser'].set_groups('read', ('guests', 'users', 'managers')) + self.repo.schema['CWUser'].set_groups('read', ('guests', 'users', 'managers')) self.repo.schema['login'].set_groups('read', ('users', 'managers')) cnx = self.login('anon') cu = cnx.cursor() - rset = cu.execute('EUser X') + rset = cu.execute('CWUser X') self.failUnless(rset) x = rset.get_entity(0, 0) self.assertEquals(x.login, None) @@ -384,10 +384,10 @@ self.failUnless(x.creation_date) cnx.rollback() - + class BaseSchemaSecurityTC(BaseSecurityTC): """tests related to the base schema permission configuration""" - + def test_user_can_delete_object_he_created(self): # even if some other user have changed object'state cnx = self.login('iaminusersgrouponly') @@ -400,7 +400,7 @@ self.execute('SET X in_state S WHERE X ref "ARCT01", S name "ben non"') self.commit() self.assertEquals(len(self.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01"')), - 2) + 2) self.assertEquals(len(self.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01",' 'X owned_by U, U login "admin"')), 1) # TrInfo at the above state change @@ -420,25 +420,25 @@ # anonymous user can only read itself rset = cu.execute('Any L WHERE X owned_by U, U login L') self.assertEquals(rset.rows, [['anon']]) - rset = cu.execute('EUser X') + rset = cu.execute('CWUser X') self.assertEquals(rset.rows, [[anon.eid]]) # anonymous user can read groups (necessary to check allowed transitions for instance) - self.assert_(cu.execute('EGroup X')) + self.assert_(cu.execute('CWGroup X')) # should only be able to read the anonymous user, not another one origuser = self.session.user - self.assertRaises(Unauthorized, - cu.execute, 'EUser X WHERE X eid %(x)s', {'x': origuser.eid}, 'x') + self.assertRaises(Unauthorized, + cu.execute, 'CWUser X WHERE X eid %(x)s', {'x': origuser.eid}, 'x') # nothing selected, nothing updated, no exception raised #self.assertRaises(Unauthorized, # cu.execute, 'SET X login "toto" WHERE X eid %(x)s', # {'x': self.user.eid}) - - rset = cu.execute('EUser X WHERE X eid %(x)s', {'x': anon.eid}, 'x') + + rset = cu.execute('CWUser X WHERE X eid %(x)s', {'x': anon.eid}, 'x') self.assertEquals(rset.rows, [[anon.eid]]) # but can't modify it cu.execute('SET X login "toto" WHERE X eid %(x)s', {'x': anon.eid}) self.assertRaises(Unauthorized, cnx.commit) - + def test_in_group_relation(self): cnx = self.login('iaminusersgrouponly') cu = cnx.cursor() @@ -454,7 +454,7 @@ cu = cnx.cursor() rql = u"SET X owned_by U WHERE U login 'iaminusersgrouponly', X is Personne" self.assertRaises(Unauthorized, cu.execute, rql) - + def test_bookmarked_by_guests_security(self): beid1 = self.execute('INSERT Bookmark B: B path "?vid=manage", B title "manage"')[0][0] beid2 = self.execute('INSERT Bookmark B: B path "?vid=index", B title "index", B bookmarked_by U WHERE U login "anon"')[0][0] @@ -475,7 +475,7 @@ self.assertRaises(Unauthorized, cu.execute, 'SET B bookmarked_by U WHERE U eid %(x)s, B eid %(b)s', {'x': anoneid, 'b': beid1}, 'x') - + def test_ambigous_ordered(self): cnx = self.login('anon') @@ -494,7 +494,7 @@ # needed to avoid check_perm error session.set_pool() # needed to remove rql expr granting update perm to the user - self.schema['Affaire'].set_rqlexprs('update', ()) + self.schema['Affaire'].set_rqlexprs('update', ()) self.assertRaises(Unauthorized, self.schema['Affaire'].check_perm, session, 'update', eid) cu = cnx.cursor() @@ -506,6 +506,6 @@ # the best would probably ValidationError if the transition doesn't exist # from the current state but Unauthorized if it exists but user can't pass it self.assertRaises(ValidationError, cu.execute, rql, {'x': cnx.user(self.current_session()).eid}, 'x') - + if __name__ == '__main__': unittest_main()