[schema] tighten permissions on MercurialServerConfig (closes #5731974)

Since changeset 90fcddcce166 "when some inlined relation is set using cw_edited, its security shouldn't be checked." in cubicweb 3.20.8, our restrictive hgadmin_repository's add permissions are no longer checked since the relation is set by MSCCreateHook. Fixes unittest_hooks::SchemaPermTC.test_ordinary_user_AUD.

authorJulien Cristau <julien.cristau@logilab.fr>
changeset3608e28223e7
branchdefault
phasepublic
hiddenno
parent revision#d76208f1c6f5 Added tag cubicweb-mercurial-server-version-0.6.0, cubicweb-mercurial-server-debian-version-0.6.0-1 for changeset 7cbb577d5c64
child revision#83b8ac3375f5 [entities] improve MercurialServerPermission's dc_title, #24ea3c2109e3 [entities] improve MercurialServerPermission's dc_title
files modified by this revision
migration/0.7.0_Any.py
schema.py
test/unittest_hooks.py
# HG changeset patch
# User Julien Cristau <julien.cristau@logilab.fr>
# Date 1437494835 -7200
# Tue Jul 21 18:07:15 2015 +0200
# Node ID 3608e28223e79173f2bb7100eefdcf83599d9cbe
# Parent d76208f1c6f590092bd9845a5cdd17bd184c8d6e
[schema] tighten permissions on MercurialServerConfig (closes #5731974)

Since changeset 90fcddcce166 "when some inlined relation is set using
cw_edited, its security shouldn't be checked." in cubicweb 3.20.8, our
restrictive hgadmin_repository's add permissions are no longer checked
since the relation is set by MSCCreateHook. Fixes
unittest_hooks::SchemaPermTC.test_ordinary_user_AUD.

diff --git a/migration/0.7.0_Any.py b/migration/0.7.0_Any.py
@@ -0,0 +1,1 @@
1 +sync_schema_props_perms('MercurialServerConfig', syncprops=False, syncrdefs=False)
diff --git a/schema.py b/schema.py
@@ -32,12 +32,11 @@
2 
3 
4  class MercurialServerConfig(EntityType):
5      __permissions__ = {
6          'read':   ('managers', 'users'),
7 -        # 'add' is further restrained by the ability to create hgadmin_repository mandatory relation
8 -        'add':    ('managers', 'users'),
9 +        'add':    ('managers',),
10          'update': ('managers', 'owners'),
11          'delete': ('managers', 'owners'),
12          }
13      name = String(required=True, maxsize=128, fulltextindexed=True)
14      base_url = String(required=True,
diff --git a/test/unittest_hooks.py b/test/unittest_hooks.py
@@ -187,10 +187,11 @@
15 
16          with self.new_access('toto').client_cnx() as cnx:
17              # toto cannot create a mercurial server config
18              with self.assertRaises(Unauthorized):
19                  self.create_mercurial_server(cnx, 'for_toto')
20 +                cnx.commit()
21 
22          with self.new_access('toto').client_cnx() as cnx:
23              # without a public key, toto cannot create a hosted repository
24              toto_repo = self.create_mercurial_repo(cnx, 'toto_repo')
25              with self.assertRaises(ValidationError) as wraperr: