Mercurial Mercurial > pub > hg > cubicweb / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | zip | gz | bz2 | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
merge 3.18.8 into 3.19 branch
authorJulien Cristau <julien.cristau@logilab.fr>
Thu, 22 Jan 2015 17:18:20 +0100
changeset 10156 57b68193413c
parent 10134 a1364ac56bb9 (current diff)
parent 10155 9b3f8a2a0c19 (diff)
child 10157 ca3c145fd08b
merge 3.18.8 into 3.19 branch
.hgtags file | annotate | diff | comparison | revisions
__pkginfo__.py file | annotate | diff | comparison | revisions
cubicweb.spec file | annotate | diff | comparison | revisions
debian/changelog file | annotate | diff | comparison | revisions
hooks/security.py file | annotate | diff | comparison | revisions
server/test/unittest_security.py file | annotate | diff | comparison | revisions 
--- a/.hgtags	Wed Jan 07 14:56:33 2015 +0100
+++ b/.hgtags	Thu Jan 22 17:18:20 2015 +0100
@@ -365,6 +365,9 @@
 cb96f4403cf2837b595992ceb0dfef2070d55e70 cubicweb-version-3.18.7
 cb96f4403cf2837b595992ceb0dfef2070d55e70 cubicweb-debian-version-3.18.7-1
 cb96f4403cf2837b595992ceb0dfef2070d55e70 cubicweb-centos-version-3.18.7-1
+231094063d62fa7c5296f2e46bc204e728038e85 cubicweb-version-3.18.8
+231094063d62fa7c5296f2e46bc204e728038e85 cubicweb-debian-version-3.18.8-1
+231094063d62fa7c5296f2e46bc204e728038e85 cubicweb-centos-version-3.18.8-1
 1141927b8494aabd16e31b0d0d9a50fe1fed5f2f cubicweb-version-3.19.0
 1141927b8494aabd16e31b0d0d9a50fe1fed5f2f cubicweb-debian-version-3.19.0-1
 1141927b8494aabd16e31b0d0d9a50fe1fed5f2f cubicweb-centos-version-3.19.0-1
--- a/debian/changelog	Wed Jan 07 14:56:33 2015 +0100
+++ b/debian/changelog	Thu Jan 22 17:18:20 2015 +0100
@@ -46,6 +46,12 @@
 
  -- Julien Cristau <julien.cristau@logilab.fr>  Mon, 28 Apr 2014 18:35:27 +0200
 
+cubicweb (3.18.8-1) unstable; urgency=medium
+
+  * new upstream release
+
+ -- Julien Cristau <julien.cristau@logilab.fr>  Thu, 22 Jan 2015 16:41:12 +0100
+
 cubicweb (3.18.7-1) unstable; urgency=low
 
   * new upstream release
--- a/hooks/security.py	Wed Jan 07 14:56:33 2015 +0100
+++ b/hooks/security.py	Thu Jan 22 17:18:20 2015 +0100
@@ -69,6 +69,13 @@
                 raise Unauthorized(action, str(rdef))
             rdef.check_perm(cnx, action, eid=eid)
 
+    if action == 'add' and not etypechecked:
+        # think about cnx.create_entity('Foo')
+        # the standard metadata were inserted by a hook
+        # with a bypass ... we conceptually need to check
+        # the eid attribute at *creation* time
+        entity.cw_check_perm(action)
+
 
 class CheckEntityPermissionOp(hook.DataOperationMixIn, hook.LateOperation):
     def precommit_event(self):
--- a/server/test/unittest_security.py	Wed Jan 07 14:56:33 2015 +0100
+++ b/server/test/unittest_security.py	Thu Jan 22 17:18:20 2015 +0100
@@ -116,6 +116,14 @@
             self.assertRaises(Unauthorized, cnx.commit)
             self.assertEqual(cnx.execute('Personne X').rowcount, 1)
 
+    def test_insert_security_2(self):
+        with self.login('anon') as cu:
+            cu.execute("INSERT Affaire X")
+            self.assertRaises(Unauthorized, self.commit)
+            # anon has no read permission on Affaire entities, so
+            # rowcount == 0
+            self.assertEqual(cu.execute('Affaire X').rowcount, 0)
+
     def test_insert_rql_permission(self):
         # test user can only add une affaire related to a societe he owns
         with self.new_access('iaminusersgrouponly').repo_cnx() as cnx:
cubicweb