Mercurial > p > roundup > code
comparison test/test_xmlrpc.py @ 4437:261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
- Security Fix: Add a check for search-permissions: now we allow
searching for properties only if the property is readable without a
check method or if an explicit search permission (see above unter
"Features) is given for the property. This fixes cases where a user
doesn't have access to a property but can deduce the content by
crafting a clever search, group or sort query.
see doc/upgrading.txt for how to fix your trackers!
| author | Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net> |
|---|---|
| date | Tue, 19 Oct 2010 15:29:05 +0000 |
| parents | 1555a73f6451 |
| children | 17f796a78647 |
comparison
equal
deleted
inserted
replaced
| 4436:528ace81fd16 | 4437:261c9f913ff7 |
|---|---|
| 112 self.server.create('user', 'username=blah') | 112 self.server.create('user', 'username=blah') |
| 113 except Unauthorised, err: | 113 except Unauthorised, err: |
| 114 self.fail('raised %s'%err) | 114 self.fail('raised %s'%err) |
| 115 finally: | 115 finally: |
| 116 self.db.setCurrentUser('joe') | 116 self.db.setCurrentUser('joe') |
| 117 | |
| 118 def testAuthFilter(self): | |
| 119 # this checks if we properly check for search permissions | |
| 120 self.db.security.permissions = {} | |
| 121 self.db.security.addRole(name='User') | |
| 122 self.db.security.addRole(name='Project') | |
| 123 self.db.security.addPermissionToRole('User', 'Web Access') | |
| 124 self.db.security.addPermissionToRole('Project', 'Web Access') | |
| 125 # Allow viewing keyword | |
| 126 p = self.db.security.addPermission(name='View', klass='keyword') | |
| 127 self.db.security.addPermissionToRole('User', p) | |
| 128 # Allow viewing interesting things (but not keyword) on issue | |
| 129 # But users might only view issues where they are on nosy | |
| 130 # (so in the real world the check method would be better) | |
| 131 p = self.db.security.addPermission(name='View', klass='issue', | |
| 132 properties=("title", "status"), check=lambda x,y,z: True) | |
| 133 self.db.security.addPermissionToRole('User', p) | |
| 134 # Allow role "Project" access to whole issue | |
| 135 p = self.db.security.addPermission(name='View', klass='issue') | |
| 136 self.db.security.addPermissionToRole('Project', p) | |
| 137 | |
| 138 keyword = self.db.keyword | |
| 139 status = self.db.status | |
| 140 issue = self.db.issue | |
| 141 | |
| 142 d1 = keyword.create(name='d1') | |
| 143 d2 = keyword.create(name='d2') | |
| 144 open = status.create(name='open') | |
| 145 closed = status.create(name='closed') | |
| 146 issue.create(title='i1', status=open, keyword=[d2]) | |
| 147 issue.create(title='i2', status=open, keyword=[d1]) | |
| 148 issue.create(title='i2', status=closed, keyword=[d1]) | |
| 149 | |
| 150 chef = self.db.user.create(username = 'chef', roles='User, Project') | |
| 151 joe = self.db.user.lookup('joe') | |
| 152 | |
| 153 # Conditionally allow view of whole issue (check is False here, | |
| 154 # this might check for keyword owner in the real world) | |
| 155 p = self.db.security.addPermission(name='View', klass='issue', | |
| 156 check=lambda x,y,z: False) | |
| 157 self.db.security.addPermissionToRole('User', p) | |
| 158 # Allow user to search for issue.status | |
| 159 p = self.db.security.addPermission(name='Search', klass='issue', | |
| 160 properties=("status",)) | |
| 161 self.db.security.addPermissionToRole('User', p) | |
| 162 | |
| 163 keyw = {'keyword':self.db.keyword.lookup('d1')} | |
| 164 stat = {'status':self.db.status.lookup('open')} | |
| 165 keygroup = keysort = [('+', 'keyword')] | |
| 166 self.db.commit() | |
| 167 | |
| 168 # Filter on keyword ignored for role 'User': | |
| 169 r = self.server.filter('issue', None, keyw) | |
| 170 self.assertEqual(r, ['1', '2', '3']) | |
| 171 # Filter on status works for all: | |
| 172 r = self.server.filter('issue', None, stat) | |
| 173 self.assertEqual(r, ['1', '2']) | |
| 174 # Sorting and grouping for class User fails: | |
| 175 r = self.server.filter('issue', None, {}, sort=keysort) | |
| 176 self.assertEqual(r, ['1', '2', '3']) | |
| 177 r = self.server.filter('issue', None, {}, group=keygroup) | |
| 178 self.assertEqual(r, ['1', '2', '3']) | |
| 179 | |
| 180 self.db.close() | |
| 181 self.db = self.instance.open('chef') | |
| 182 self.server = RoundupInstance(self.db, self.instance.actions, None) | |
| 183 | |
| 184 # Filter on keyword works for role 'Project': | |
| 185 r = self.server.filter('issue', None, keyw) | |
| 186 self.assertEqual(r, ['2', '3']) | |
| 187 # Filter on status works for all: | |
| 188 r = self.server.filter('issue', None, stat) | |
| 189 self.assertEqual(r, ['1', '2']) | |
| 190 # Sorting and grouping for class Project works: | |
| 191 r = self.server.filter('issue', None, {}, sort=keysort) | |
| 192 self.assertEqual(r, ['2', '3', '1']) | |
| 193 r = self.server.filter('issue', None, {}, group=keygroup) | |
| 194 self.assertEqual(r, ['2', '3', '1']) | |
| 117 | 195 |
| 118 def test_suite(): | 196 def test_suite(): |
| 119 suite = unittest.TestSuite() | 197 suite = unittest.TestSuite() |
| 120 for l in list_backends(): | 198 for l in list_backends(): |
| 121 dct = dict(backend = l) | 199 dct = dict(backend = l) |