Fix permissions in model_move (+ test)

bootstrap/core_algorithm.alc

@@ -1132,28 +1132,35 @@ String function cmd_model_move(source : String, target : String):
 	String source_id
 	source_id = get_entry_id(source)
 	if (source_id != ""):
-		if (get_entry_id(target) == ""):
-			// Create folders on path to the target
-			create_folders(current_user_id, get_foldername(target))
-
-			// Change location, first the name
-			instantiate_attribute(core, source_id, "name", target)
-
-			// Now the folder links
-			Element links
-			links = allIncomingAssociationInstances(core, source_id, "contains")
-			while (set_len(links) > 0):
-				model_delete_element(core, set_pop(links))
-			instantiate_link(core, "contains", "", get_entry_id(get_foldername(target)), source_id)
-
-			// Flush caches
-			dict_add(caches["models"], target, caches["models"][source])
-			dict_delete(caches["models"], source)
-
-			// Done
-			return "Success"!
+		if (allow_write(current_user_id, source_id)):
+			if (get_entry_id(target) == ""):
+				// Create folders on path to the target
+				if (element_neq(create_folders(current_user_id, get_foldername(target)), read_root())):
+					if (allow_write(current_user_id, get_entry_id(get_foldername(target)))):
+						// Change location, first the name
+						instantiate_attribute(core, source_id, "name", target)
+
+						// Now the folder links
+						Element links
+						links = allIncomingAssociationInstances(core, source_id, "contains")
+						while (set_len(links) > 0):
+							model_delete_element(core, set_pop(links))
+						instantiate_link(core, "contains", "", get_entry_id(get_foldername(target)), source_id)
+
+						// Flush caches
+						dict_add(caches["models"], target, caches["models"][source])
+						dict_delete(caches["models"], source)
+
+						// Done
+						return "Success"!
+					else:
+						return "Write permission denied to: " + target!
+				else:
+					return "Write permission denied to: " + target!
+			else:
+				return "Model exists: " + target!
 		else:
-			return "Model exists: " + target!
+			return "Write permission denied to: " + source!
 	else:
 		return "Location not found: " + source!
 

unit/test_all.py

@@ -344,6 +344,20 @@ class TestModelverse(unittest.TestCase):
         except UnknownLocation:
             pass
 
+        # Test if we can move a model we can't write to (i.e., not allowed to remove it)
+        try:
+            model_move("formalisms/ProcessModel", "users/user/test/x")
+            self.fail()
+        except WritePermissionDenied:
+            pass
+
+        # Test if we can move a model to a place we can't write to
+        try:
+            model_move("users/user/test/a", "administration/ProcessModel2")
+            self.fail()
+        except WritePermissionDenied:
+            pass
+
     def test_op_model_delete(self):
         # Test basic delete
         model_add("users/user/test/a", "formalisms/SimpleClassDiagrams")

wrappers/modelverse_SCCD.py

@@ -1,6 +1,8 @@
 """
 Generated by Statechart compiler by Glenn De Jonghe, Joeri Exelmans, Simon Van Mierlo, and Yentl Van Tendeloo (for the inspiration)
 
+Date:   Mon Jun 11 09:14:38 2018
+
 Model author: Yentl Van Tendeloo
 Model name:   MvK Server
 Model description: