Backport some more security test from saem

7d64b85e · Sylvain Thénault · 0a8f060a5ce6 · 38c8d9a1
Commit 7d64b85e authored Oct 18, 2016 by Sylvain Thénault
--- a/test/test_schema.py
+++ b/test/test_schema.py
@@ -181,13 +181,14 @@ class SecurityTC(CubicWebTC):
            cnx.commit()
        cnx.rollback()

-    def test_base(self):
+    def test_profile(self):
        with self.admin_access.repo_cnx() as cnx:
            self.create_user(cnx, login='alice')
            self.create_user(cnx, login='bob')
            cnx.commit()
        with self.new_access('alice').repo_cnx() as cnx:
            transfer = cnx.create_entity('SEDAArchiveTransfer', title=u'Alice Profile')
+            create_archive_unit(transfer)
            cnx.create_entity('Agent', name=u'Archival inc.',
                              reverse_seda_archival_agency=transfer)
            cnx.create_entity('SEDAComment', comment=u'Whooot.',
@@ -217,6 +218,52 @@ class SecurityTC(CubicWebTC):
            with self.assertUnauthorized(cnx):
                scheme = cnx.create_entity('ConceptScheme', title=u'Some nasty vocabulary')
                mtclv.cw_set(seda_mime_type_code_list_version_to=scheme)
+            # deletion of a contained entity
+            with self.assertUnauthorized(cnx):
+                comment.cw_delete()
+            # deletion of a outer relation
+            with self.assertUnauthorized(cnx):
+                transfer.reverse_seda_mime_type_code_list_version_from[0].cw_set(
+                    seda_mime_type_code_list_version_to=None)
+            # deletion of an archive unit
+            with self.assertUnauthorized(cnx):
+                transfer.archive_units[0].cw_delete()
+            # deletion of the container
+            with self.assertUnauthorized(cnx):
+                transfer.cw_delete()
+
+    def test_archive_unit(self):
+        with self.admin_access.repo_cnx() as cnx:
+            unit, unit_alt, unit_alt_seq = create_archive_unit(None, cnx=cnx)
+            content = cnx.create_entity('SEDAContent', seda_content=unit_alt_seq)
+            title = cnx.create_entity('SEDATitle', seda_title=content)
+            cnx.commit()
+
+            # unit has no parent, modifications are allowed.
+            unit.cw_set(user_annotation=u'argh')
+            title.cw_set(title=u'gloup')
+            cnx.commit()
+
+        with self.new_access('anon').client_cnx() as cnx:
+            title = cnx.entity_from_eid(title.eid)
+            unit = cnx.entity_from_eid(unit.eid)
+            with self.assertUnauthorized(cnx):
+                title.cw_set(title=u'zorglub')
+            with self.assertUnauthorized(cnx):
+                unit.cw_set(user_annotation=u'zorglub')
+            with self.assertUnauthorized(cnx):
+                cnx.create_entity(
+                    'SEDATitle', seda_title=cnx.create_entity(
+                        'SEDAContent', seda_content=unit_alt_seq))
+            with self.assertUnauthorized(cnx):
+                title.cw_delete()
+            with self.assertUnauthorized(cnx):
+                unit.cw_delete()
+        with self.admin_access.repo_cnx() as cnx:
+            unit = cnx.entity_from_eid(unit.eid)
+            unit.cw_delete()
+            cnx.commit()
+

 if __name__ == '__main__':
    import unittest