moo.core.tests.test_security_queryset
Security tests: QuerySet / RelatedManager access controls.
Covers: QuerySet.model raw ORM path, bulk mutation methods (update/delete/ values/create), ManyToMany parent manipulation, Property.value read guard, Verb.__call__ execute check, ACL enumeration guard, select_related safety (passes 6, 7, 8, 14).
Functions
A wizard caller can still access obj.acl, since can_caller('grant') always passes for wizards. |
|
get_protected_attribute and safe_getattr check can_caller('grant') before returning the acl RelatedManager on AccessibleMixin instances. |
|
|
ManyToManyField.add() issues SQL directly without going through Object.save(), bypassing ACL checks. |
passthrough() must not be blocked by the execute check in Verb.__call__(). |
|
The owner's context can still read Property.value. |
|
|
get_protected_attribute and safe_getattr enforce can_caller('read') when verb code accesses prop.value. |
QuerySet.delete() issues SQL DELETE directly, bypassing model-level permission checks. |
|
QuerySet.model is blocked by get_protected_attribute and safe_getattr. |
|
QuerySet.update() issues SQL UPDATE directly, bypassing Verb.save() permission checks. |
|
QuerySet.values() returns plain dicts whose 'value' key is not a Property instance, so the isinstance(obj, Property) guard in get_protected_attribute never fires. |
|
|
RelatedManager.create() routes directly to Verb.save() with pk=None, which previously skipped the write-permission check. |
select_related() returns a QuerySet. |
|
select_related() is in _QUERYSET_ALLOWED and is actively used by verb code (e.g. at_show.py). |
|
Verb.__call__() checks can_caller('execute', self) when an active session is present. |