[schema] Fix agent kind permission so that no one can create new kind
authorSylvain Thénault <sylvain.thenault@logilab.fr>
Thu, 18 May 2017 16:49:58 +0200
changeset 227 b1080cd1062e
parent 226 9e03d0d69d8f
child 228 bd7d7578a46c
[schema] Fix agent kind permission so that no one can create new kind even managers. Notice the modified test was rather clumsy, it was only passing because no commit was done (non-managers users were already missing the permission to create new kinds). Closes #17079137
cubicweb_eac/migration/0.5.1_Any.py
cubicweb_eac/schema.py
test/test_schema.py
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/cubicweb_eac/migration/0.5.1_Any.py	Thu May 18 16:49:58 2017 +0200
@@ -0,0 +1,1 @@
+sync_schema_props_perms('AgentKind')
--- a/cubicweb_eac/schema.py	Thu May 18 16:36:12 2017 +0200
+++ b/cubicweb_eac/schema.py	Thu May 18 16:49:58 2017 +0200
@@ -140,7 +140,7 @@
     """Kind of an authority record (e.g. "person", "authority" or "family")"""
     __permissions__ = {
         'read': ('managers', 'users', 'guests'),
-        'add': ('managers', ),
+        'add': (),
         'update': (),
         'delete': (),
     }
--- a/test/test_schema.py	Thu May 18 16:36:12 2017 +0200
+++ b/test/test_schema.py	Thu May 18 16:49:58 2017 +0200
@@ -145,10 +145,8 @@
                 kind.cw_delete()
 
         with self.admin_access.cnx() as cnx:
-            self.create_user(cnx, login=u'toto', groups=('users', 'guests'))
-            cnx.commit()
-        with self.new_access('toto').cnx() as cnx:
-            cnx.create_entity('AgentKind', name=u'new')
+            with self.assertUnauthorized(cnx):
+                cnx.create_entity('AgentKind', name=u'new')
 
     def test_agent_kind_relation(self):
         """Test we can only change kind from unknown to another."""