cubicweb: server/securityhooks.py@2565aae48d48 (annotated)

0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	1	"""Security hooks: check permissions to add/delete/update entities according to
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	2	the user connected to a session
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	3
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	4	:organization: Logilab
479 ac5c9442b1fd update some copyrights sylvain.thenault@logilab.fr parents: 475 diff changeset	5	:copyright: 2001-2009 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	6	:contact: http://www.logilab.fr/ -- mailto:contact@logilab.fr
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	7	"""
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	8	__docformat__ = "restructuredtext en"
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	9
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	10	from cubicweb import Unauthorized
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	11	from cubicweb.server.pool import LateOperation
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	12	from cubicweb.server import BEFORE_ADD_RELATIONS, ON_COMMIT_ADD_RELATIONS
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	13
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	14	def check_entity_attributes(session, entity):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	15	eid = entity.eid
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	16	eschema = entity.e_schema
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	17	# ._default_set is only there on entity creation to indicate unspecified
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	18	# attributes which has been set to a default value defined in the schema
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	19	defaults = getattr(entity, '_default_set', ())
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	20	for attr in entity.keys():
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	21	if attr in defaults:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	22	continue
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	23	rschema = eschema.subject_relation(attr)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	24	if rschema.is_final(): # non final relation are checked by other hooks
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	25	# add/delete should be equivalent (XXX: unify them into 'update' ?)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	26	rschema.check_perm(session, 'add', eid)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	27
d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	28
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	29	class CheckEntityPermissionOp(LateOperation):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	30	def precommit_event(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	31	#print 'CheckEntityPermissionOp', self.session.user, self.entity, self.action
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	32	self.entity.check_perm(self.action)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	33	check_entity_attributes(self.session, self.entity)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	34
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	35	def commit_event(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	36	pass
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	37
d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	38
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	39	class CheckRelationPermissionOp(LateOperation):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	40	def precommit_event(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	41	self.rschema.check_perm(self.session, self.action, self.fromeid, self.toeid)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	42
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	43	def commit_event(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	44	pass
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	45
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	46	def after_add_entity(session, entity):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	47	if not session.is_super_session:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	48	CheckEntityPermissionOp(session, entity=entity, action='add')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	49
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	50	def after_update_entity(session, entity):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	51	if not session.is_super_session:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	52	try:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	53	# check user has permission right now, if not retry at commit time
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	54	entity.check_perm('update')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	55	check_entity_attributes(session, entity)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	56	except Unauthorized:
475 b32a5772ff06 should clear local perm cache if first attempt failed sylvain.thenault@logilab.fr parents: 0 diff changeset	57	entity.clear_local_perm_cache('update')
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	58	CheckEntityPermissionOp(session, entity=entity, action='update')
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	59
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	60	def before_del_entity(session, eid):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	61	if not session.is_super_session:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	62	eschema = session.repo.schema[session.describe(eid)[0]]
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	63	eschema.check_perm(session, 'delete', eid)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	64
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	65
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	66	def before_add_relation(session, fromeid, rtype, toeid):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	67	if rtype in BEFORE_ADD_RELATIONS and not session.is_super_session:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	68	rschema = session.repo.schema[rtype]
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	69	rschema.check_perm(session, 'add', fromeid, toeid)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	70
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	71	def after_add_relation(session, fromeid, rtype, toeid):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	72	if not rtype in BEFORE_ADD_RELATIONS and not session.is_super_session:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	73	rschema = session.repo.schema[rtype]
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	74	if rtype in ON_COMMIT_ADD_RELATIONS:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	75	CheckRelationPermissionOp(session, action='add', rschema=rschema,
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	76	fromeid=fromeid, toeid=toeid)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	77	else:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	78	rschema.check_perm(session, 'add', fromeid, toeid)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	79
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	80	def before_del_relation(session, fromeid, rtype, toeid):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	81	if not session.is_super_session:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	82	session.repo.schema[rtype].check_perm(session, 'delete', fromeid, toeid)
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	83
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	84	def register_security_hooks(hm):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	85	"""register meta-data related hooks on the hooks manager"""
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	86	hm.register_hook(after_add_entity, 'after_add_entity', '')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	87	hm.register_hook(after_update_entity, 'after_update_entity', '')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	88	hm.register_hook(before_del_entity, 'before_delete_entity', '')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	89	hm.register_hook(before_add_relation, 'before_add_relation', '')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	90	hm.register_hook(after_add_relation, 'after_add_relation', '')
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	91	hm.register_hook(before_del_relation, 'before_delete_relation', '')
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	92

author	Sylvain Thénault <sylvain.thenault@logilab.fr>
	Tue, 26 May 2009 11:23:39 +0200
branch	stable
changeset 1940	2565aae48d48
parent 1802	d628defebc17
child 1977	606923dff11b
permissions	-rw-r--r--