1. Sylvain Thénault
  2. cubicweb-photoalbum

Source

cubicweb-photoalbum / test / unittest_security.py

from cubicweb.devtools.testlib import CubicWebTC
from cubicweb import Binary

class SecurityTC(CubicWebTC):

    @classmethod
    def init_config(cls, config):
        super(SecurityTC, cls).init_config(config)
        config.global_set_option('album-base-dir', '/tmp')

    def test_visibility_propagation(self):
        req = self.request()
        # create a user for later security checks
        toto = self.create_user(req, 'toto')
        # init some data using the default manager connection
        album = req.create_entity('Album',
                                   name=u'restricted',
                                   visibility=u'restricted')
        photo1 = req.create_entity('File',
                                   data_name=u'photo1.jpg',
                                   data=Binary('xxx'),
                                   in_album=album)
        self.commit()
        photo1.cw_clear_all_caches() # good practice, avoid request cache effects
        # visibility propagation
        self.assertEqual(photo1.visibility, 'parent')
        self.assertEqual(photo1.computed_visibility, 'restricted')
        # unless explicitly specified
        photo2 = req.create_entity('File',
                                   data_name=u'photo2.jpg',
                                   data=Binary('xxx'),
                                   visibility=u'public',
                                   in_album=album)
        self.commit()
        self.assertEqual(photo2.visibility, 'public')
        self.assertEqual(photo2.computed_visibility, 'public')
        # test security
        self.login('toto')
        req = self.request()
        self.assertEqual(len(req.execute('File X')), 1) # only the public one
        self.assertEqual(len(req.execute('Album X')), 0) # restricted...
        # may_be_readen_by propagation
        self.restore_connection()
        album.cw_set(may_be_readen_by=toto)
        self.commit()
        photo1.cw_clear_all_caches()
        self.assertTrue(photo1.may_be_readen_by)
        # test security with permissions
        self.login('toto')
        req = self.request()
        self.assertEqual(len(req.execute('File X')), 2) # now toto has access to photo2
        self.assertEqual(len(req.execute('Album X')), 1) # and to restricted album


if __name__ == '__main__':
    from logilab.common.testlib import unittest_main
    unittest_main()