--- a/.hgtags Thu Jan 22 17:32:49 2015 +0100
+++ b/.hgtags Thu Jan 22 17:45:06 2015 +0100
@@ -365,6 +365,9 @@
cb96f4403cf2837b595992ceb0dfef2070d55e70 cubicweb-version-3.18.7
cb96f4403cf2837b595992ceb0dfef2070d55e70 cubicweb-debian-version-3.18.7-1
cb96f4403cf2837b595992ceb0dfef2070d55e70 cubicweb-centos-version-3.18.7-1
+231094063d62fa7c5296f2e46bc204e728038e85 cubicweb-version-3.18.8
+231094063d62fa7c5296f2e46bc204e728038e85 cubicweb-debian-version-3.18.8-1
+231094063d62fa7c5296f2e46bc204e728038e85 cubicweb-centos-version-3.18.8-1
1141927b8494aabd16e31b0d0d9a50fe1fed5f2f cubicweb-version-3.19.0
1141927b8494aabd16e31b0d0d9a50fe1fed5f2f cubicweb-debian-version-3.19.0-1
1141927b8494aabd16e31b0d0d9a50fe1fed5f2f cubicweb-centos-version-3.19.0-1
@@ -389,6 +392,9 @@
ac4f5f615597575bec32f8f591260e5a91e53855 cubicweb-version-3.19.7
ac4f5f615597575bec32f8f591260e5a91e53855 cubicweb-debian-version-3.19.7-1
ac4f5f615597575bec32f8f591260e5a91e53855 cubicweb-centos-version-3.19.7-1
+efc8645ece4300958e3628db81464fef12d5f6e8 cubicweb-version-3.19.8
+efc8645ece4300958e3628db81464fef12d5f6e8 cubicweb-debian-version-3.19.8-1
+efc8645ece4300958e3628db81464fef12d5f6e8 cubicweb-centos-version-3.19.8-1
7e6b7739afe6128589ad51b0318decb767cbae36 cubicweb-version-3.20.0
7e6b7739afe6128589ad51b0318decb767cbae36 cubicweb-debian-version-3.20.0-1
7e6b7739afe6128589ad51b0318decb767cbae36 cubicweb-centos-version-3.20.0-1
--- a/debian/changelog Thu Jan 22 17:32:49 2015 +0100
+++ b/debian/changelog Thu Jan 22 17:45:06 2015 +0100
@@ -16,6 +16,12 @@
-- Julien Cristau <julien.cristau@logilab.fr> Tue, 06 Jan 2015 18:11:03 +0100
+cubicweb (3.19.8-1) unstable; urgency=medium
+
+ * new upstream release
+
+ -- Julien Cristau <julien.cristau@logilab.fr> Thu, 22 Jan 2015 17:18:34 +0100
+
cubicweb (3.19.7-1) unstable; urgency=low
* new upstream release
@@ -64,6 +70,12 @@
-- Julien Cristau <julien.cristau@logilab.fr> Mon, 28 Apr 2014 18:35:27 +0200
+cubicweb (3.18.8-1) unstable; urgency=medium
+
+ * new upstream release
+
+ -- Julien Cristau <julien.cristau@logilab.fr> Thu, 22 Jan 2015 16:41:12 +0100
+
cubicweb (3.18.7-1) unstable; urgency=low
* new upstream release
--- a/hooks/security.py Thu Jan 22 17:32:49 2015 +0100
+++ b/hooks/security.py Thu Jan 22 17:45:06 2015 +0100
@@ -69,6 +69,13 @@
raise Unauthorized(action, str(rdef))
rdef.check_perm(cnx, action, eid=eid)
+ if action == 'add' and not etypechecked:
+ # think about cnx.create_entity('Foo')
+ # the standard metadata were inserted by a hook
+ # with a bypass ... we conceptually need to check
+ # the eid attribute at *creation* time
+ entity.cw_check_perm(action)
+
class CheckEntityPermissionOp(hook.DataOperationMixIn, hook.LateOperation):
def precommit_event(self):
--- a/server/test/unittest_security.py Thu Jan 22 17:32:49 2015 +0100
+++ b/server/test/unittest_security.py Thu Jan 22 17:45:06 2015 +0100
@@ -131,6 +131,14 @@
self.assertRaises(Unauthorized, cnx.commit)
self.assertEqual(cnx.execute('Personne X').rowcount, 1)
+ def test_insert_security_2(self):
+ with self.new_access('anon').repo_cnx() as cnx:
+ cnx.execute("INSERT Affaire X")
+ self.assertRaises(Unauthorized, cnx.commit)
+ # anon has no read permission on Affaire entities, so
+ # rowcount == 0
+ self.assertEqual(cnx.execute('Affaire X').rowcount, 0)
+
def test_insert_rql_permission(self):
# test user can only add une affaire related to a societe he owns
with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: