author | Sylvain Thénault <sylvain.thenault@logilab.fr> |
Wed, 27 Jan 2010 09:56:58 +0100 | |
changeset 4389 | 14a993bc8d1e |
parent 4243 | 2621de25d15a |
child 4754 | 6bf17f810975 |
permissions | -rw-r--r-- |
4243
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
1 |
"""some utilities to define schema permissions |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
2 |
|
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
3 |
:organization: Logilab |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
4 |
:copyright: 2008 LOGILAB S.A. (Paris, FRANCE), all rights reserved. |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
5 |
:contact: http://www.logilab.fr/ -- mailto:contact@logilab.fr |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
6 |
""" |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
7 |
__docformat__ = "restructuredtext en" |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
8 |
|
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
9 |
from rql.utils import quote |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
10 |
from cubicweb.schema import ERQLExpression, RRQLExpression |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
11 |
|
2502 | 12 |
# permissions for "meta" entity type (readable by anyone, can only be |
13 |
# added/deleted by managers) |
|
2141
0072247db207
schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff
changeset
|
14 |
META_ETYPE_PERMS = { |
0072247db207
schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff
changeset
|
15 |
'read': ('managers', 'users', 'guests',), |
0072247db207
schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff
changeset
|
16 |
'add': ('managers',), |
0072247db207
schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff
changeset
|
17 |
'delete': ('managers',), |
0072247db207
schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff
changeset
|
18 |
'update': ('managers', 'owners',), |
0072247db207
schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff
changeset
|
19 |
} |
0072247db207
schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff
changeset
|
20 |
|
2502 | 21 |
# permissions for "meta" relation type (readable by anyone, can only be |
22 |
# added/deleted by managers) |
|
2141
0072247db207
schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff
changeset
|
23 |
META_RTYPE_PERMS = { |
0072247db207
schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff
changeset
|
24 |
'read': ('managers', 'users', 'guests',), |
0072247db207
schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff
changeset
|
25 |
'add': ('managers',), |
0072247db207
schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff
changeset
|
26 |
'delete': ('managers',), |
0072247db207
schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff
changeset
|
27 |
} |
2501
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2141
diff
changeset
|
28 |
|
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2141
diff
changeset
|
29 |
# permissions for relation type that should only set by hooks using unsafe |
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2141
diff
changeset
|
30 |
# execute, readable by anyone |
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2141
diff
changeset
|
31 |
HOOKS_RTYPE_PERMS = { |
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2141
diff
changeset
|
32 |
'read': ('managers', 'users', 'guests',), |
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2141
diff
changeset
|
33 |
'add': (), |
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2141
diff
changeset
|
34 |
'delete': (), |
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2141
diff
changeset
|
35 |
} |
4243
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
36 |
|
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
37 |
def _perm(names): |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
38 |
if isinstance(names, (list, tuple)): |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
39 |
if len(names) == 1: |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
40 |
names = quote(names[0]) |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
41 |
else: |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
42 |
names = 'IN (%s)' % (','.join(quote(name) for name in names)) |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
43 |
else: |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
44 |
names = quote(names) |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
45 |
#return u' require_permission P, P name %s, U in_group G, P require_group G' % names |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
46 |
return u' require_permission P, P name %s, U has_group_permission P' % names |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
47 |
|
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
48 |
|
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
49 |
def xperm(*names): |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
50 |
return 'X' + _perm(names) |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
51 |
|
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
52 |
def xexpr(*names): |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
53 |
return ERQLExpression(xperm(*names)) |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
54 |
|
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
55 |
def xrexpr(relation, *names): |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
56 |
return ERQLExpression('X %s Y, Y %s' % (relation, _perm(names))) |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
57 |
|
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
58 |
def xorexpr(relation, etype, *names): |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
59 |
return ERQLExpression('Y %s X, X is %s, Y %s' % (relation, etype, _perm(names))) |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
60 |
|
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
61 |
|
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
62 |
def sexpr(*names): |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
63 |
return RRQLExpression('S' + _perm(names), 'S') |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
64 |
|
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
65 |
def restricted_sexpr(restriction, *names): |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
66 |
rql = '%s, %s' % (restriction, 'S' + _perm(names)) |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
67 |
return RRQLExpression(rql, 'S') |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
68 |
|
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
69 |
def restricted_oexpr(restriction, *names): |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
70 |
rql = '%s, %s' % (restriction, 'O' + _perm(names)) |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
71 |
return RRQLExpression(rql, 'O') |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
72 |
|
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
73 |
def oexpr(*names): |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
74 |
return RRQLExpression('O' + _perm(names), 'O') |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
75 |
|
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
76 |
|
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
77 |
# def supdate_perm(): |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
78 |
# return RRQLExpression('U has_update_permission S', 'S') |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
79 |
|
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
80 |
# def oupdate_perm(): |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
81 |
# return RRQLExpression('U has_update_permission O', 'O') |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
82 |
|
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
83 |
def relxperm(rel, role, *names): |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
84 |
assert role in ('subject', 'object') |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
85 |
if role == 'subject': |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
86 |
zxrel = ', X %s Z' % rel |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
87 |
else: |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
88 |
zxrel = ', Z %s X' % rel |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
89 |
return 'Z' + _perm(names) + zxrel |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
90 |
|
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
91 |
def relxexpr(rel, role, *names): |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
92 |
return ERQLExpression(relxperm(rel, role, *names)) |