# HG changeset patch # User Julien Cristau # Date 1421943500 -3600 # Node ID 57b68193413c13706ddfd606a59464ecdb7fdebb # Parent a1364ac56bb973c26d0f1bf2849ed69faad5c505# Parent 9b3f8a2a0c19188ae63c59f9b59a04bdc395531c merge 3.18.8 into 3.19 branch diff -r a1364ac56bb9 -r 57b68193413c .hgtags --- a/.hgtags Wed Jan 07 14:56:33 2015 +0100 +++ b/.hgtags Thu Jan 22 17:18:20 2015 +0100 @@ -365,6 +365,9 @@ cb96f4403cf2837b595992ceb0dfef2070d55e70 cubicweb-version-3.18.7 cb96f4403cf2837b595992ceb0dfef2070d55e70 cubicweb-debian-version-3.18.7-1 cb96f4403cf2837b595992ceb0dfef2070d55e70 cubicweb-centos-version-3.18.7-1 +231094063d62fa7c5296f2e46bc204e728038e85 cubicweb-version-3.18.8 +231094063d62fa7c5296f2e46bc204e728038e85 cubicweb-debian-version-3.18.8-1 +231094063d62fa7c5296f2e46bc204e728038e85 cubicweb-centos-version-3.18.8-1 1141927b8494aabd16e31b0d0d9a50fe1fed5f2f cubicweb-version-3.19.0 1141927b8494aabd16e31b0d0d9a50fe1fed5f2f cubicweb-debian-version-3.19.0-1 1141927b8494aabd16e31b0d0d9a50fe1fed5f2f cubicweb-centos-version-3.19.0-1 diff -r a1364ac56bb9 -r 57b68193413c __pkginfo__.py diff -r a1364ac56bb9 -r 57b68193413c cubicweb.spec diff -r a1364ac56bb9 -r 57b68193413c debian/changelog --- a/debian/changelog Wed Jan 07 14:56:33 2015 +0100 +++ b/debian/changelog Thu Jan 22 17:18:20 2015 +0100 @@ -46,6 +46,12 @@ -- Julien Cristau Mon, 28 Apr 2014 18:35:27 +0200 +cubicweb (3.18.8-1) unstable; urgency=medium + + * new upstream release + + -- Julien Cristau Thu, 22 Jan 2015 16:41:12 +0100 + cubicweb (3.18.7-1) unstable; urgency=low * new upstream release diff -r a1364ac56bb9 -r 57b68193413c hooks/security.py --- a/hooks/security.py Wed Jan 07 14:56:33 2015 +0100 +++ b/hooks/security.py Thu Jan 22 17:18:20 2015 +0100 @@ -69,6 +69,13 @@ raise Unauthorized(action, str(rdef)) rdef.check_perm(cnx, action, eid=eid) + if action == 'add' and not etypechecked: + # think about cnx.create_entity('Foo') + # the standard metadata were inserted by a hook + # with a bypass ... we conceptually need to check + # the eid attribute at *creation* time + entity.cw_check_perm(action) + class CheckEntityPermissionOp(hook.DataOperationMixIn, hook.LateOperation): def precommit_event(self): diff -r a1364ac56bb9 -r 57b68193413c server/test/unittest_security.py --- a/server/test/unittest_security.py Wed Jan 07 14:56:33 2015 +0100 +++ b/server/test/unittest_security.py Thu Jan 22 17:18:20 2015 +0100 @@ -116,6 +116,14 @@ self.assertRaises(Unauthorized, cnx.commit) self.assertEqual(cnx.execute('Personne X').rowcount, 1) + def test_insert_security_2(self): + with self.login('anon') as cu: + cu.execute("INSERT Affaire X") + self.assertRaises(Unauthorized, self.commit) + # anon has no read permission on Affaire entities, so + # rowcount == 0 + self.assertEqual(cu.execute('Affaire X').rowcount, 0) + def test_insert_rql_permission(self): # test user can only add une affaire related to a societe he owns with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: