# HG changeset patch # User Julien Cristau # Date 1421852313 -3600 # Node ID 85cbf16fbb578821c4206fce6380adf759b552a2 # Parent 68a95d4fb77fbc1dd9f4ec2be5d304526d6fbcd1 [security] Test case and fix for an INSERT security hole 7099bbd685aa introduced a untested corner case in which an Entity with no attribute specified could be created whatever the permissions. Report and test case by Christophe de Vienne, fix by Aurelien Campeas. Thanks! Closes #4854359 diff -r 68a95d4fb77f -r 85cbf16fbb57 hooks/security.py --- a/hooks/security.py Wed Nov 26 17:39:59 2014 +0100 +++ b/hooks/security.py Wed Jan 21 15:58:33 2015 +0100 @@ -68,6 +68,12 @@ # going through check_perm. raise Unauthorized(action, str(rdef)) rdef.check_perm(session, action, eid=eid) + if action == 'add' and not etypechecked: + # think about cnx.create_entity('Foo') + # the standard metadata were inserted by a hook + # with a bypass ... we conceptually need to check + # the eid attribute at *creation* time + entity.cw_check_perm(action) class CheckEntityPermissionOp(hook.DataOperationMixIn, hook.LateOperation): diff -r 68a95d4fb77f -r 85cbf16fbb57 server/test/unittest_security.py --- a/server/test/unittest_security.py Wed Nov 26 17:39:59 2014 +0100 +++ b/server/test/unittest_security.py Wed Jan 21 15:58:33 2015 +0100 @@ -112,6 +112,14 @@ self.assertRaises(Unauthorized, self.commit) self.assertEqual(cu.execute('Personne X').rowcount, 1) + def test_insert_security_2(self): + with self.login('anon') as cu: + cu.execute("INSERT Affaire X") + self.assertRaises(Unauthorized, self.commit) + # anon has no read permission on Affaire entities, so + # rowcount == 0 + self.assertEqual(cu.execute('Affaire X').rowcount, 0) + def test_insert_rql_permission(self): # test user can only add une affaire related to a societe he owns with self.login('iaminusersgrouponly') as cu: