Commit ac609b34 authored by Sylvain Thénault's avatar Sylvain Thénault
Browse files

[schema] Remove managers group from update/delete permissions

of entity and relation types in the compound tree. This ensure that permissions
of the whole tree depends on permission of the root (SEDAArchiveTransfer or
SEDAArchiveUnit), with no special cases for users in the managers group.

Related to extranet #19216837
parent cdc858532db1
......@@ -183,13 +183,12 @@ def post_build_callback(schema):
# container entity
for action in ('update', 'delete'):
action, ('managers', ERQLExpression('U has_{action}_permission C, '
'X container C'.format(action=action)))
action, (ERQLExpression('U has_{action}_permission C, '
'X container C'.format(action=action)),)
for action in ('update', 'delete'):
action, ('managers',
ERQLExpression('U has_{action}_permission C, '
action, (ERQLExpression('U has_{action}_permission C, '
'X container C'.format(action=action)),
ERQLExpression('NOT EXISTS(X container C), U in_group G, '
'G name IN ("managers", "users")')))
......@@ -211,6 +210,6 @@ def post_build_callback(schema):
rrql_exprs.append('U has_update_permission {0}'.format(var))
rrql_exprs.append('U has_update_permission C, {0} container C'.format(var))
permissions = ['managers'] + [RRQLExpression(expr) for expr in rrql_exprs]
permissions = [RRQLExpression(expr) for expr in rrql_exprs]
for action in ('add', 'delete'):
rdef.set_action_permissions(action, permissions)
......@@ -322,6 +322,32 @@ class SecurityTC(CubicWebTC):
with self.assertUnauthorized(cnx):
with self.admin_access.cnx() as cnx:
transfer = cnx.entity_from_eid(transfer.eid)
# ensure every subobjects permissions depends on top-level
# permissions (don't even include managers group)
with self.temporary_permissions((self.schema['SEDAArchiveTransfer'],
{'update': (),
'delete': ()})):
# modification of a contained entity
comment = transfer.reverse_seda_comment[0]
with self.assertUnauthorized(cnx):
comment.cw_set(comment=u'You got hacked')
with self.assertUnauthorized(cnx):
with self.assertUnauthorized(cnx):
cnx.create_entity('SEDAArchivalAgreement', seda_archival_agreement=transfer)
# modification of a relation from the container to a non contained entity
with self.assertUnauthorized(cnx):
testutils.create_authority_record(cnx, name=u'Bob Archival inc.',
# deletion of an archive unit
with self.assertUnauthorized(cnx):
# deletion of the container
with self.assertUnauthorized(cnx):
def test_archive_unit(self):
with self.admin_access.cnx() as cnx:
unit, unit_alt, unit_alt_seq = testutils.create_archive_unit(None, cnx=cnx)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment