[schema] Remove managers group from update/delete permissions

of entity and relation types in the compound tree. This ensure that permissions
of the whole tree depends on permission of the root (SEDAArchiveTransfer or
SEDAArchiveUnit), with no special cases for users in the managers group.

Related to extranet #19216837

cubicweb_seda/schema/__init__.py

@@ -183,13 +183,12 @@ def post_build_callback(schema):
         # container entity
         for action in ('update', 'delete'):
             eschema.set_action_permissions(
-                action, ('managers', ERQLExpression('U has_{action}_permission C, '
-                                                    'X container C'.format(action=action)))
+                action, (ERQLExpression('U has_{action}_permission C, '
+                                        'X container C'.format(action=action)),)
             )
     for action in ('update', 'delete'):
         schema['SEDAArchiveUnit'].set_action_permissions(
-            action, ('managers',
-                     ERQLExpression('U has_{action}_permission C, '
+            action, (ERQLExpression('U has_{action}_permission C, '
                                     'X container C'.format(action=action)),
                      ERQLExpression('NOT EXISTS(X container C), U in_group G, '
                                     'G name IN ("managers", "users")')))
@@ -211,6 +210,6 @@ def post_build_callback(schema):
                 rrql_exprs.append('U has_update_permission {0}'.format(var))
             else:
                 rrql_exprs.append('U has_update_permission C, {0} container C'.format(var))
-        permissions = ['managers'] + [RRQLExpression(expr) for expr in rrql_exprs]
+        permissions = [RRQLExpression(expr) for expr in rrql_exprs]
         for action in ('add', 'delete'):
             rdef.set_action_permissions(action, permissions)

test/test_schema.py

@@ -322,6 +322,32 @@ class SecurityTC(CubicWebTC):
             with self.assertUnauthorized(cnx):
                 transfer.cw_delete()
 
+        with self.admin_access.cnx() as cnx:
+            transfer = cnx.entity_from_eid(transfer.eid)
+            # ensure every subobjects permissions depends on top-level
+            # permissions (don't even include managers group)
+            with self.temporary_permissions((self.schema['SEDAArchiveTransfer'],
+                                             {'update': (),
+                                              'delete': ()})):
+                # modification of a contained entity
+                comment = transfer.reverse_seda_comment[0]
+                with self.assertUnauthorized(cnx):
+                    comment.cw_set(comment=u'You got hacked')
+                with self.assertUnauthorized(cnx):
+                    comment.cw_delete()
+                with self.assertUnauthorized(cnx):
+                    cnx.create_entity('SEDAArchivalAgreement', seda_archival_agreement=transfer)
+                # modification of a relation from the container to a non contained entity
+                with self.assertUnauthorized(cnx):
+                    testutils.create_authority_record(cnx, name=u'Bob Archival inc.',
+                                                      reverse_seda_archival_agency=transfer)
+                # deletion of an archive unit
+                with self.assertUnauthorized(cnx):
+                    transfer.archive_units[0].cw_delete()
+                # deletion of the container
+                with self.assertUnauthorized(cnx):
+                    transfer.cw_delete()
+
     def test_archive_unit(self):
         with self.admin_access.cnx() as cnx:
             unit, unit_alt, unit_alt_seq = testutils.create_archive_unit(None, cnx=cnx)