# HG changeset patch # User Julien Cristau # Date 1421945106 -3600 # Node ID 138464fc1c3397979b729cca3a30bc4481fd1e2d # Parent b733789cc3392abdce761c574375739b66addfab# Parent 5cc8fdba56d5a86fe8b4fa608f89c553ef708e4f merge 3.19.8 into 3.20 branch diff -r b733789cc339 -r 138464fc1c33 .hgtags --- a/.hgtags Thu Jan 22 17:32:49 2015 +0100 +++ b/.hgtags Thu Jan 22 17:45:06 2015 +0100 @@ -365,6 +365,9 @@ cb96f4403cf2837b595992ceb0dfef2070d55e70 cubicweb-version-3.18.7 cb96f4403cf2837b595992ceb0dfef2070d55e70 cubicweb-debian-version-3.18.7-1 cb96f4403cf2837b595992ceb0dfef2070d55e70 cubicweb-centos-version-3.18.7-1 +231094063d62fa7c5296f2e46bc204e728038e85 cubicweb-version-3.18.8 +231094063d62fa7c5296f2e46bc204e728038e85 cubicweb-debian-version-3.18.8-1 +231094063d62fa7c5296f2e46bc204e728038e85 cubicweb-centos-version-3.18.8-1 1141927b8494aabd16e31b0d0d9a50fe1fed5f2f cubicweb-version-3.19.0 1141927b8494aabd16e31b0d0d9a50fe1fed5f2f cubicweb-debian-version-3.19.0-1 1141927b8494aabd16e31b0d0d9a50fe1fed5f2f cubicweb-centos-version-3.19.0-1 @@ -389,6 +392,9 @@ ac4f5f615597575bec32f8f591260e5a91e53855 cubicweb-version-3.19.7 ac4f5f615597575bec32f8f591260e5a91e53855 cubicweb-debian-version-3.19.7-1 ac4f5f615597575bec32f8f591260e5a91e53855 cubicweb-centos-version-3.19.7-1 +efc8645ece4300958e3628db81464fef12d5f6e8 cubicweb-version-3.19.8 +efc8645ece4300958e3628db81464fef12d5f6e8 cubicweb-debian-version-3.19.8-1 +efc8645ece4300958e3628db81464fef12d5f6e8 cubicweb-centos-version-3.19.8-1 7e6b7739afe6128589ad51b0318decb767cbae36 cubicweb-version-3.20.0 7e6b7739afe6128589ad51b0318decb767cbae36 cubicweb-debian-version-3.20.0-1 7e6b7739afe6128589ad51b0318decb767cbae36 cubicweb-centos-version-3.20.0-1 diff -r b733789cc339 -r 138464fc1c33 __pkginfo__.py diff -r b733789cc339 -r 138464fc1c33 cubicweb.spec diff -r b733789cc339 -r 138464fc1c33 debian/changelog --- a/debian/changelog Thu Jan 22 17:32:49 2015 +0100 +++ b/debian/changelog Thu Jan 22 17:45:06 2015 +0100 @@ -16,6 +16,12 @@ -- Julien Cristau Tue, 06 Jan 2015 18:11:03 +0100 +cubicweb (3.19.8-1) unstable; urgency=medium + + * new upstream release + + -- Julien Cristau Thu, 22 Jan 2015 17:18:34 +0100 + cubicweb (3.19.7-1) unstable; urgency=low * new upstream release @@ -64,6 +70,12 @@ -- Julien Cristau Mon, 28 Apr 2014 18:35:27 +0200 +cubicweb (3.18.8-1) unstable; urgency=medium + + * new upstream release + + -- Julien Cristau Thu, 22 Jan 2015 16:41:12 +0100 + cubicweb (3.18.7-1) unstable; urgency=low * new upstream release diff -r b733789cc339 -r 138464fc1c33 hooks/security.py --- a/hooks/security.py Thu Jan 22 17:32:49 2015 +0100 +++ b/hooks/security.py Thu Jan 22 17:45:06 2015 +0100 @@ -69,6 +69,13 @@ raise Unauthorized(action, str(rdef)) rdef.check_perm(cnx, action, eid=eid) + if action == 'add' and not etypechecked: + # think about cnx.create_entity('Foo') + # the standard metadata were inserted by a hook + # with a bypass ... we conceptually need to check + # the eid attribute at *creation* time + entity.cw_check_perm(action) + class CheckEntityPermissionOp(hook.DataOperationMixIn, hook.LateOperation): def precommit_event(self): diff -r b733789cc339 -r 138464fc1c33 server/test/unittest_security.py --- a/server/test/unittest_security.py Thu Jan 22 17:32:49 2015 +0100 +++ b/server/test/unittest_security.py Thu Jan 22 17:45:06 2015 +0100 @@ -131,6 +131,14 @@ self.assertRaises(Unauthorized, cnx.commit) self.assertEqual(cnx.execute('Personne X').rowcount, 1) + def test_insert_security_2(self): + with self.new_access('anon').repo_cnx() as cnx: + cnx.execute("INSERT Affaire X") + self.assertRaises(Unauthorized, cnx.commit) + # anon has no read permission on Affaire entities, so + # rowcount == 0 + self.assertEqual(cnx.execute('Affaire X').rowcount, 0) + def test_insert_rql_permission(self): # test user can only add une affaire related to a societe he owns with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: