Backport some more security test from saem
authorSylvain Thénault <sylvain.thenault@logilab.fr>
Tue, 18 Oct 2016 16:19:14 +0200
changeset 1887 38c8d9a12bcc
parent 1886 0a8f060a5ce6
child 1888 c74d8dd017ce
Backport some more security test from saem
test/test_schema.py
--- a/test/test_schema.py	Wed Oct 19 23:07:28 2016 +0200
+++ b/test/test_schema.py	Tue Oct 18 16:19:14 2016 +0200
@@ -181,13 +181,14 @@
             cnx.commit()
         cnx.rollback()
 
-    def test_base(self):
+    def test_profile(self):
         with self.admin_access.repo_cnx() as cnx:
             self.create_user(cnx, login='alice')
             self.create_user(cnx, login='bob')
             cnx.commit()
         with self.new_access('alice').repo_cnx() as cnx:
             transfer = cnx.create_entity('SEDAArchiveTransfer', title=u'Alice Profile')
+            create_archive_unit(transfer)
             cnx.create_entity('Agent', name=u'Archival inc.',
                               reverse_seda_archival_agency=transfer)
             cnx.create_entity('SEDAComment', comment=u'Whooot.',
@@ -217,6 +218,52 @@
             with self.assertUnauthorized(cnx):
                 scheme = cnx.create_entity('ConceptScheme', title=u'Some nasty vocabulary')
                 mtclv.cw_set(seda_mime_type_code_list_version_to=scheme)
+            # deletion of a contained entity
+            with self.assertUnauthorized(cnx):
+                comment.cw_delete()
+            # deletion of a outer relation
+            with self.assertUnauthorized(cnx):
+                transfer.reverse_seda_mime_type_code_list_version_from[0].cw_set(
+                    seda_mime_type_code_list_version_to=None)
+            # deletion of an archive unit
+            with self.assertUnauthorized(cnx):
+                transfer.archive_units[0].cw_delete()
+            # deletion of the container
+            with self.assertUnauthorized(cnx):
+                transfer.cw_delete()
+
+    def test_archive_unit(self):
+        with self.admin_access.repo_cnx() as cnx:
+            unit, unit_alt, unit_alt_seq = create_archive_unit(None, cnx=cnx)
+            content = cnx.create_entity('SEDAContent', seda_content=unit_alt_seq)
+            title = cnx.create_entity('SEDATitle', seda_title=content)
+            cnx.commit()
+
+            # unit has no parent, modifications are allowed.
+            unit.cw_set(user_annotation=u'argh')
+            title.cw_set(title=u'gloup')
+            cnx.commit()
+
+        with self.new_access('anon').client_cnx() as cnx:
+            title = cnx.entity_from_eid(title.eid)
+            unit = cnx.entity_from_eid(unit.eid)
+            with self.assertUnauthorized(cnx):
+                title.cw_set(title=u'zorglub')
+            with self.assertUnauthorized(cnx):
+                unit.cw_set(user_annotation=u'zorglub')
+            with self.assertUnauthorized(cnx):
+                cnx.create_entity(
+                    'SEDATitle', seda_title=cnx.create_entity(
+                        'SEDAContent', seda_content=unit_alt_seq))
+            with self.assertUnauthorized(cnx):
+                title.cw_delete()
+            with self.assertUnauthorized(cnx):
+                unit.cw_delete()
+        with self.admin_access.repo_cnx() as cnx:
+            unit = cnx.entity_from_eid(unit.eid)
+            unit.cw_delete()
+            cnx.commit()
+
 
 if __name__ == '__main__':
     import unittest