[schema] Fix security on direct relation to SEDAArchiveUnit
authorSylvain Thénault <sylvain.thenault@logilab.fr>
Wed, 08 Mar 2017 22:40:19 +0100
changeset 2476 9e7a025cd039
parent 2474 d331fbee620a
child 2477 b1ab49e7f058
[schema] Fix security on direct relation to SEDAArchiveUnit to consider that its container may be None (in case of a component archive unit).
cubicweb_seda/migration/0.9.0_Any.py
cubicweb_seda/schema/__init__.py
test/test_schema.py
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/cubicweb_seda/migration/0.9.0_Any.py	Wed Mar 08 22:40:19 2017 +0100
@@ -0,0 +1,9 @@
+from cubicweb_seda import iter_all_rdefs
+
+for rdef, role in iter_all_rdefs(schema, 'SEDAArchiveTransfer'):
+    if role == 'subject':
+        target_etype = rdef.subject
+    else:
+        target_etype = rdef.object
+    if target_etype == 'SEDAArchiveUnit':
+        sync_schema_props_perms((rdef.subject, rdef.rtype, rdef.object))
--- a/cubicweb_seda/schema/__init__.py	Thu Mar 09 16:28:55 2017 +0100
+++ b/cubicweb_seda/schema/__init__.py	Wed Mar 08 22:40:19 2017 +0100
@@ -176,9 +176,17 @@
             target_etype, var = rdef.subject, 'S'
         else:
             target_etype, var = rdef.object, 'O'
-        if target_etype == 'SEDAArchiveTransfer':
-            expr = 'U has_update_permission {0}'.format(var)
+        rrql_exprs = []
+        if target_etype == 'SEDAArchiveUnit':
+            rrql_exprs.append('U has_update_permission {0}, NOT EXISTS({0} container C)'
+                              .format(var, var))
+            rrql_exprs.append('U has_update_permission C, {0} container C'.format(var))
+
         else:
-            expr = 'U has_update_permission C, {0} container C'.format(var)
+            if target_etype == 'SEDAArchiveTransfer':
+                rrql_exprs.append('U has_update_permission {0}'.format(var))
+            else:
+                rrql_exprs.append('U has_update_permission C, {0} container C'.format(var))
+        permissions = ['managers'] + [RRQLExpression(expr) for expr in rrql_exprs]
         for action in ('add', 'delete'):
-            rdef.set_action_permissions(action, ('managers', RRQLExpression(expr)))
+            rdef.set_action_permissions(action, permissions)
--- a/test/test_schema.py	Thu Mar 09 16:28:55 2017 +0100
+++ b/test/test_schema.py	Wed Mar 08 22:40:19 2017 +0100
@@ -326,6 +326,13 @@
             unit.cw_delete()
             cnx.commit()
 
+    def test_users_can_created_unit(self):
+        with self.admin_access.cnx() as cnx:
+            self.create_user(cnx, 'bob')
+        with self.new_access('bob').cnx() as cnx:
+            unit, unit_alt, unit_alt_seq = testutils.create_archive_unit(None, cnx=cnx)
+            cnx.commit()
+
 
 if __name__ == '__main__':
     import unittest