Demonstrate a security issue where AllowSingle blocks a child Allow f…

…or a different group
orus-io · Jun 7, 2018 · ed87c4c · ed87c4c
1 parent c2ac0b3
commit ed87c4c
Showing 1 changed file with 64 additions and 0 deletions.
diff --git a/guillotina/tests/test_security.py b/guillotina/tests/test_security.py
@@ -1,3 +1,4 @@
+from guillotina.auth.users import GuillotinaUser
 from guillotina.security.utils import get_principals_with_access_content
 from guillotina.security.utils import get_roles_with_access_content
 from guillotina.security.utils import settings_for_object
@@ -169,3 +170,66 @@ async def test_canido(container_requester):
             'GET', '/db/guillotina/@canido?permission=guillotina.ViewContent')
         assert status == 200
         assert response
+
+async def test_allowsingle(container_requester):
+    async with container_requester as requester:
+        response, status = await requester(
+            'POST',
+            '/db/guillotina/',
+            data=json.dumps({
+                '@type': 'Item',
+                'id': 'testing'
+            }))
+        assert status == 201
+
+        response, status = await requester(
+            'POST',
+            '/db/guillotina/@sharing',
+            data=json.dumps({
+                'prinperm': [{
+                    'principal': 'group1',
+                    'permission': 'guillotina.AccessContent',
+                    'setting': 'AllowSingle'
+                }]
+            }))
+
+        assert status == 200
+
+        response, status = await requester(
+            'POST',
+            '/db/guillotina/testing/@sharing',
+            data=json.dumps({
+                'prinperm': [{
+                    'principal': 'group2',
+                    'permission': 'guillotina.AccessContent',
+                    'setting': 'Allow'
+                }]
+            }))
+
+        assert status == 200
+
+        request = utils.get_mocked_request(requester.db)
+        container = await utils.get_container(requester, request)
+        content = await container.async_get('testing')
+
+        user = GuillotinaUser(request)
+        user.id = 'user1'
+        user._groups = ['group1', 'group2']
+
+        utils.login(request, user)
+
+        assert request.security.check_permission('guillotina.AccessContent',
+                                                 request.container)
+        assert request.security.check_permission('guillotina.AccessContent',
+                                                 content)
+
+        user = GuillotinaUser(request)
+        user.id = 'user1'
+        user._groups = ['group1']
+
+        utils.login(request, user)
+
+        assert request.security.check_permission('guillotina.AccessContent',
+                                                 request.container)
+        assert not request.security.check_permission(
+            'guillotina.AccessContent', content)