moo.core.tests.test_security_model_acl

Security tests: Access (ACL) and Repository model permission checks.

Covers Access.save / .delete grant enforcement (including the attacker-rebinds-row-FK attack) and the Repository.save wizard guard, which fires regardless of whether Repository is reached via verb.repo or imported directly.

Functions

test_access_delete_requires_grant(t_init, ...)	Access.delete() previously had no permission check.
test_access_save_new_entry_requires_grant(...)	Creating a new Access row directly (bypassing allow()/deny()) must require grant on the target entity.
test_access_save_requires_grant(t_init, t_wizard)	Access.save() previously had no permission check.
test_repository_save_requires_wizard(t_init, ...)	Repository.save() previously had no permission check.
test_repository_save_wizard_guard_fires_via_direct_import(...)	Repository.save() checks ContextManager.get('caller').is_wizard() directly, not call-site restrictions.