[schema] Remove managers group from update/delete permissions
authorSylvain Thénault <sylvain.thenault@logilab.fr>
Thu, 27 Apr 2017 14:28:10 +0200
changeset 2634 8f1a4f7abbf6
parent 2633 cdc858532db1
child 2635 70cd0b3f5e37
[schema] Remove managers group from update/delete permissions of entity and relation types in the compound tree. This ensure that permissions of the whole tree depends on permission of the root (SEDAArchiveTransfer or SEDAArchiveUnit), with no special cases for users in the managers group. Related to extranet #19216837
cubicweb_seda/schema/__init__.py
test/test_schema.py
--- a/cubicweb_seda/schema/__init__.py	Thu Apr 27 11:40:58 2017 +0200
+++ b/cubicweb_seda/schema/__init__.py	Thu Apr 27 14:28:10 2017 +0200
@@ -183,13 +183,12 @@
         # container entity
         for action in ('update', 'delete'):
             eschema.set_action_permissions(
-                action, ('managers', ERQLExpression('U has_{action}_permission C, '
-                                                    'X container C'.format(action=action)))
+                action, (ERQLExpression('U has_{action}_permission C, '
+                                        'X container C'.format(action=action)),)
             )
     for action in ('update', 'delete'):
         schema['SEDAArchiveUnit'].set_action_permissions(
-            action, ('managers',
-                     ERQLExpression('U has_{action}_permission C, '
+            action, (ERQLExpression('U has_{action}_permission C, '
                                     'X container C'.format(action=action)),
                      ERQLExpression('NOT EXISTS(X container C), U in_group G, '
                                     'G name IN ("managers", "users")')))
@@ -211,6 +210,6 @@
                 rrql_exprs.append('U has_update_permission {0}'.format(var))
             else:
                 rrql_exprs.append('U has_update_permission C, {0} container C'.format(var))
-        permissions = ['managers'] + [RRQLExpression(expr) for expr in rrql_exprs]
+        permissions = [RRQLExpression(expr) for expr in rrql_exprs]
         for action in ('add', 'delete'):
             rdef.set_action_permissions(action, permissions)
--- a/test/test_schema.py	Thu Apr 27 11:40:58 2017 +0200
+++ b/test/test_schema.py	Thu Apr 27 14:28:10 2017 +0200
@@ -322,6 +322,32 @@
             with self.assertUnauthorized(cnx):
                 transfer.cw_delete()
 
+        with self.admin_access.cnx() as cnx:
+            transfer = cnx.entity_from_eid(transfer.eid)
+            # ensure every subobjects permissions depends on top-level
+            # permissions (don't even include managers group)
+            with self.temporary_permissions((self.schema['SEDAArchiveTransfer'],
+                                             {'update': (),
+                                              'delete': ()})):
+                # modification of a contained entity
+                comment = transfer.reverse_seda_comment[0]
+                with self.assertUnauthorized(cnx):
+                    comment.cw_set(comment=u'You got hacked')
+                with self.assertUnauthorized(cnx):
+                    comment.cw_delete()
+                with self.assertUnauthorized(cnx):
+                    cnx.create_entity('SEDAArchivalAgreement', seda_archival_agreement=transfer)
+                # modification of a relation from the container to a non contained entity
+                with self.assertUnauthorized(cnx):
+                    testutils.create_authority_record(cnx, name=u'Bob Archival inc.',
+                                                      reverse_seda_archival_agency=transfer)
+                # deletion of an archive unit
+                with self.assertUnauthorized(cnx):
+                    transfer.archive_units[0].cw_delete()
+                # deletion of the container
+                with self.assertUnauthorized(cnx):
+                    transfer.cw_delete()
+
     def test_archive_unit(self):
         with self.admin_access.cnx() as cnx:
             unit, unit_alt, unit_alt_seq = testutils.create_archive_unit(None, cnx=cnx)