Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
C
CaosDB Python Integration Tests
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Container registry
Model registry
Operate
Environments
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
caosdb
Software
CaosDB Python Integration Tests
Commits
80d3eb1a
Commit
80d3eb1a
authored
1 year ago
by
Florian Spreckelsen
Browse files
Options
Downloads
Plain Diff
Merge branch 'f-select-acl' into 'dev'
TST f-select-acl See merge request
!71
parents
257c7faa
879c9bed
No related branches found
No related tags found
1 merge request
!71
TST f-select-acl
Pipeline
#44931
failed
1 year ago
Stage: info
Stage: setup
Stage: cert
Stage: style
Stage: test
Stage: deploy
Changes
1
Pipelines
21
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
tests/test_permissions.py
+6
-6
6 additions, 6 deletions
tests/test_permissions.py
with
6 additions
and
6 deletions
tests/test_permissions.py
+
6
−
6
View file @
80d3eb1a
...
...
@@ -240,10 +240,11 @@ def test_query():
unique
=
True
)
'''
... but works without the which clause
'''
assert
db
.
execute_query
(
"
FIND ENTITY TestExperiment
"
,
unique
=
True
).
id
==
exp
.
id
'''
and with the id
'''
assert
db
.
execute_query
(
"
FIND ENTITY TestExperiment WHICH HAS A TestConductor=
"
+
str
(
dan
.
id
),
unique
=
True
).
id
==
exp
.
id
#
assert db.execute_query(
#
"FIND ENTITY TestExperiment WHICH HAS A TestConductor=" + str(dan.id),
#
unique=True).id == exp.id
'''
failure - exp
'''
grant_permission
(
dan
,
"
RETRIEVE:*
"
)
...
...
@@ -1198,7 +1199,6 @@ def test_deny_update_role():
p
.
update
()
@mark.xfail
(
reason
=
"
Fix insufficient permission checks of referenced entity names.
"
)
def
test_query_with_invisible_reference
():
"""
Names of references that are not visible to the test user should not be usable as query
...
...
@@ -1216,6 +1216,7 @@ def test_query_with_invisible_reference():
deny_permission
(
rec_invisible
,
"
RETRIEVE:*
"
)
# as admin, I'm allowed to filter this
switch_to_admin_user
()
assert
len
(
db
.
execute_query
(
f
"
FIND
{
rt
.
name
}
WITH
{
rt
.
name
}
=
{
rec_invisible
.
name
}
"
))
==
1
switch_to_test_user
()
...
...
@@ -1237,7 +1238,6 @@ def test_query_with_invisible_reference():
assert
len
(
db
.
execute_query
(
f
"
FIND
{
rt
.
name
}
WITH
{
rt
.
name
}
LIKE
'
*invis*
'"
))
==
0
@mark.xfail
(
reason
=
"
Fix insufficient permission checks of referenced entity selectors.
"
)
def
test_select_query_with_invisible_reference
():
"""
SELECT queries must not leak property values of invisible referenced entities.
"""
...
...
@@ -1287,7 +1287,7 @@ def test_select_query_with_invisible_reference():
values
=
select_results
.
get_property_values
(
*
value_args
)[
0
]
assert
values
[
0
]
==
visible_rec
.
name
assert
values
[
1
]
==
invisible_rec
.
id
# id is ok
assert
values
[
2
]
is
None
# name isn't
assert
values
[
2
]
==
invisible_rt
.
name
# fall-back to property's name
assert
values
[
3
]
is
None
# prop isn't either
assert
values
[
4
]
is
None
# neither id ...
assert
values
[
5
]
is
None
# ... nor name of other rec referenced by invisible
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
