author | Sylvain Thénault <sylvain.thenault@logilab.fr> |
Tue, 22 Sep 2009 18:59:00 +0200 | |
branch | stable |
changeset 3372 | 26b89dfe4170 |
parent 3283 | 4f53eb3f1331 |
child 3581 | 669854258b90 |
permissions | -rw-r--r-- |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
1 |
.. -*- coding: utf-8 -*- |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
2 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
3 |
Yams *schema* |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
4 |
------------- |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
5 |
|
2476
1294a6bdf3bf
application -> instance where it makes sense
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2175
diff
changeset
|
6 |
The **schema** is the core piece of a *CubicWeb* instance as it defines |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
7 |
the handled data model. It is based on entity types that are either already |
2175
16d3c37c5d28
[doc] improvements
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
2172
diff
changeset
|
8 |
defined in the *CubicWeb* standard library; or more specific types, that |
16d3c37c5d28
[doc] improvements
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
2172
diff
changeset
|
9 |
*CubicWeb* expects to find in one or more Python files under the directory |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
10 |
`schema`. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
11 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
12 |
At this point, it is important to make clear the difference between |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
13 |
*relation type* and *relation definition*: a *relation type* is only a relation |
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
14 |
name with potentially other additionnal properties (see XXXX), whereas a |
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
15 |
*relation definition* is a complete triplet |
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
16 |
"<subject entity type> <relation type> <object entity type>". |
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
17 |
A relation type could have been implied if none is related to a |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
18 |
relation definition of the schema. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
19 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
20 |
|
2175
16d3c37c5d28
[doc] improvements
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
2172
diff
changeset
|
21 |
All *CubicWeb* built-in types are available : `String`, `Int`, `Float`, |
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
22 |
`Decimal`, `Boolean`, `Date`, `Datetime`, `Time`, `Interval`, `Byte` |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
23 |
and `Password`. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
24 |
They are implicitely imported (as well as the special the function "_" |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
25 |
for translation :ref:`internationalization`). |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
26 |
|
2476
1294a6bdf3bf
application -> instance where it makes sense
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2175
diff
changeset
|
27 |
The instance schema is defined on all appobjects by a .schema class attribute set |
1294a6bdf3bf
application -> instance where it makes sense
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2175
diff
changeset
|
28 |
on registration. It's an instance of :class:`yams.schema.Schema`. |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
29 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
30 |
Entity type |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
31 |
~~~~~~~~~~~ |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
32 |
It's an instance of :class:`yams.schema.EntitySchema` |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
33 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
34 |
XXX meta |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
35 |
XXX permission |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
36 |
XXX yams inheritance |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
37 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
38 |
Relation type |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
39 |
~~~~~~~~~~~~~ |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
40 |
It's an instance of :class:`yams.schema.RelationSchema` |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
41 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
42 |
In addition to the permissions, the properties of the relation types |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
43 |
(shared also by all definition of relation of this type) are : |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
44 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
45 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
46 |
* `inlined` : boolean handling the physical optimization for archiving |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
47 |
the relation in the subject entity table, instead of creating a specific |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
48 |
table for the relation. This applies to the relation when the cardinality |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
49 |
of subject->relation->object is 0..1 (`?`) or 1..1 (`1`) |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
50 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
51 |
* `symmetric` : boolean indicating that the relation is symmetrical, which |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
52 |
means `X relation Y` implies `Y relation X` |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
53 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
54 |
XXX meta |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
55 |
XXX permission |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
56 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
57 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
58 |
Relation definition |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
59 |
~~~~~~~~~~~~~~~~~~~ |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
60 |
Relation definition are represented in yams using an internal structure only exposed through the :mod:`api <yams.schema>`. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
61 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
62 |
Properties |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
63 |
`````````` |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
64 |
Properties defined below are accessible through the following api: |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
65 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
66 |
RelationSchema.rproperties() |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
67 |
RelationSchema.rproperty(subjtype, objtype, property name) |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
68 |
|
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
69 |
* Optional properties for attributes and relations : |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
70 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
71 |
- `description` : a string describing an attribute or a relation. By default |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
72 |
this string will be used in the editing form of the entity, which means |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
73 |
that it is supposed to help the end-user and should be flagged by the |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
74 |
function `_` to be properly internationalized. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
75 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
76 |
- `constraints` : a list of conditions/constraints that the relation has to |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
77 |
satisfy (c.f. `Contraints`_) |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
78 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
79 |
- `cardinality` : a two character string which specify the cardinality of the |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
80 |
relation. The first character defines the cardinality of the relation on |
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
81 |
the subject, and the second on the object. When a relation can have |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
82 |
multiple subjects or objects, the cardinality applies to all, |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
83 |
not on a one-to-one basis (so it must be consistent...). The possible |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
84 |
values are inspired from regular expression syntax : |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
85 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
86 |
* `1`: 1..1 |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
87 |
* `?`: 0..1 |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
88 |
* `+`: 1..n |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
89 |
* `*`: 0..n |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
90 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
91 |
- `meta` : boolean indicating that the relation is a meta-relation (false by |
3283 | 92 |
default, will disappear in *CubicWeb* 3.5) |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
93 |
|
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
94 |
* optional properties for attributes : |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
95 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
96 |
- `required` : boolean indicating if the attribute is required (false by default) |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
97 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
98 |
- `unique` : boolean indicating if the value of the attribute has to be unique |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
99 |
or not within all entities of the same type (false by default) |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
100 |
|
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
101 |
- `indexed` : boolean indicating if an index needs to be created for this |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
102 |
attribute in the database (false by default). This is useful only if |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
103 |
you know that you will have to run numerous searches on the value of this |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
104 |
attribute. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
105 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
106 |
- `default` : default value of the attribute. In case of date types, the values |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
107 |
which could be used correspond to the RQL keywords `TODAY` and `NOW`. |
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
108 |
|
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
109 |
- `vocabulary` : specify static possible values of an attribute |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
110 |
|
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
111 |
* optional properties of type `String` : |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
112 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
113 |
- `fulltextindexed` : boolean indicating if the attribute is part of |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
114 |
the full text index (false by default) (*applicable on the type `Byte` |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
115 |
as well*) |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
116 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
117 |
- `internationalizable` : boolean indicating if the value of the attribute |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
118 |
is internationalizable (false by default) |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
119 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
120 |
- `maxsize` : integer providing the maximum size of the string (no limit by default) |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
121 |
|
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
122 |
* optional properties for relations : |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
123 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
124 |
- `composite` : string indicating that the subject (composite == 'subject') |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
125 |
is composed of the objects of the relations. For the opposite case (when |
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
126 |
the object is composed of the subjects of the relation), we just set |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
127 |
'object' as value. The composition implies that when the relation |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
128 |
is deleted (so when the composite is deleted), the composed are also deleted. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
129 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
130 |
- `fti_container`: XXX feed me |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
131 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
132 |
Constraints |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
133 |
``````````` |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
134 |
By default, the available constraint types are : |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
135 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
136 |
* `SizeConstraint` : allows to specify a minimum and/or maximum size on |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
137 |
string (generic case of `maxsize`) |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
138 |
|
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
139 |
* `BoundConstraint` : allows to specify a minimum and/or maximum value on |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
140 |
numeric types |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
141 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
142 |
* `UniqueConstraint` : identical to "unique=True" |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
143 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
144 |
* `StaticVocabularyConstraint` : identical to "vocabulary=(...)" |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
145 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
146 |
* `RQLConstraint` : allows to specify a RQL query that has to be satisfied |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
147 |
by the subject and/or the object of the relation. In this query the variables |
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
148 |
`S` and `O` are reserved for the entities subject and object of the |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
149 |
relation. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
150 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
151 |
* `RQLVocabularyConstraint` : similar to the previous type of constraint except |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
152 |
that it does not express a "strong" constraint, which means it is only used to |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
153 |
restrict the values listed in the drop-down menu of editing form, but it does |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
154 |
not prevent another entity to be selected. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
155 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
156 |
XXX note about how to add new constraint |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
157 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
158 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
159 |
The security model |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
160 |
~~~~~~~~~~~~~~~~~~ |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
161 |
|
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
162 |
The security model of `cubicWeb` is based on `Access Control List`. |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
163 |
The main principles are: |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
164 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
165 |
* users and groups of users |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
166 |
* a user belongs to at least one group of user |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
167 |
* permissions (read, update, create, delete) |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
168 |
* permissions are assigned to groups (and not to users) |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
169 |
|
2175
16d3c37c5d28
[doc] improvements
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
2172
diff
changeset
|
170 |
For *CubicWeb* in particular: |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
171 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
172 |
* we associate rights at the enttities/relations schema level |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
173 |
* for each entity, we distinguish four kind of permissions: read, |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
174 |
add, update and delete |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
175 |
* for each relation, we distinguish three king of permissions: read, |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
176 |
add and delete (we can not modify a relation) |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
177 |
* the basic groups are: Administrators, Users and Guests |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
178 |
* by default, users belongs to the group Users |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
179 |
* there is a virtual group called `Owners users` to which we |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
180 |
can associate only deletion and update permissions |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
181 |
* we can not add users to the `Owners users` group, they are |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
182 |
implicetely added to it according to the context of the objects |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
183 |
they own |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
184 |
* the permissions of this group are only be checked on update/deletion |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
185 |
actions if all the other groups the user belongs does not provide |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
186 |
those permissions |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
187 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
188 |
Setting permissions is done with the attribute `permissions` of entities and |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
189 |
relation types. It defines a dictionary where the keys are the access types |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
190 |
(action), and the values are the authorized groups or expressions. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
191 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
192 |
For an entity type, the possible actions are `read`, `add`, `update` and |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
193 |
`delete`. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
194 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
195 |
For a relation type, the possible actions are `read`, `add`, and `delete`. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
196 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
197 |
For each access type, a tuple indicates the name of the authorized groups and/or |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
198 |
one or multiple RQL expressions to satisfy to grant access. The access is |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
199 |
provided once the user is in the listed groups or one of the RQL condition is |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
200 |
satisfied. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
201 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
202 |
The standard user groups |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
203 |
```````````````````````` |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
204 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
205 |
* `guests` |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
206 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
207 |
* `users` |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
208 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
209 |
* `managers` |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
210 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
211 |
* `owners` : virtual group corresponding to the entity's owner. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
212 |
This can only be used for the actions `update` and `delete` of an entity |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
213 |
type. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
214 |
|
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
215 |
It is also possible to use specific groups if they are defined in the precreate |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
216 |
of the cube (``migration/precreate.py``). |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
217 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
218 |
|
3283 | 219 |
Use of RQL expression for write permissions |
220 |
``````````````````````````````````````````` |
|
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
221 |
It is possible to define RQL expression to provide update permission |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
222 |
(`add`, `delete` and `update`) on relation and entity types. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
223 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
224 |
RQL expression for entity type permission : |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
225 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
226 |
* you have to use the class `RQLExpression` |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
227 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
228 |
* the used expression corresponds to the WHERE statement of an RQL query |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
229 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
230 |
* in this expression, the variables X and U are pre-defined references |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
231 |
respectively on the current entity (on which the action is verified) and |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
232 |
on the user who send the request |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
233 |
|
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
234 |
* it is possible to use, in this expression, a special relation |
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
235 |
"has_<ACTION>_permission" where the subject is the user and the |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
236 |
object is a any variable, meaning that the user needs to have |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
237 |
permission to execute the action <ACTION> on the entities related |
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
238 |
to this variable |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
239 |
|
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
240 |
For RQL expressions on a relation type, the principles are the same except |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
241 |
for the following : |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
242 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
243 |
* you have to use the class `RQLExpression` in the case of a non-final relation |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
244 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
245 |
* in the expression, the variables S, O and U are pre-defined references |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
246 |
to respectively the subject and the object of the current relation (on |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
247 |
which the action is being verified) and the user who executed the query |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
248 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
249 |
* we can also defined rights on attributes of an entity (non-final relation), |
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
250 |
knowing that : |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
251 |
|
3283 | 252 |
- to define RQL expression, we have to use the class `RQLExpression` |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
253 |
in which X represents the entity the attribute belongs to |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
254 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
255 |
- the permissions `add` and `delete` are equivalent. Only `add`/`read` |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
256 |
are actually taken in consideration. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
257 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
258 |
:Note on the use of RQL expression for `add` permission: |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
259 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
260 |
Potentially, the use of an RQL expression to add an entity or a relation |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
261 |
can cause problems for the user interface, because if the expression uses |
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
262 |
the entity or the relation to create, then we are not able to verify the |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
263 |
permissions before we actually add the entity (please note that this is |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
264 |
not a problem for the RQL server at all, because the permissions checks are |
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
265 |
done after the creation). In such case, the permission check methods |
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
266 |
(check_perm, has_perm) can indicate that the user is not allowed to create |
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
267 |
this entity but can obtain the permission. |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
268 |
To compensate this problem, it is usually necessary, for such case, |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
269 |
to use an action that reflects the schema permissions but which enables |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
270 |
to check properly the permissions so that it would show up if necessary. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
271 |
|
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
272 |
|
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
273 |
Use of RQL expression for reading rights |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
274 |
```````````````````````````````````````` |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
275 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
276 |
The principles are the same but with the following restrictions : |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
277 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
278 |
* we can not use `RRQLExpression` on relation types for reading |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
279 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
280 |
* special relations "has_<ACTION>_permission" can not be used |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
281 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
282 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
283 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
284 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
285 |
Defining your schema using yams |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
286 |
------------------------------- |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
287 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
288 |
Entity type definition |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
289 |
~~~~~~~~~~~~~~~~~~~~~~ |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
290 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
291 |
An entity type is defined by a Python class which inherits from `EntityType`. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
292 |
The class definition contains the description of attributes and relations |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
293 |
for the defined entity type. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
294 |
The class name corresponds to the entity type name. It is exepected to be |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
295 |
defined in the module ``mycube.schema``. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
296 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
297 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
298 |
For example :: |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
299 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
300 |
class Person(EntityType): |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
301 |
"""A person with the properties and the relations necessary for my |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
302 |
application""" |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
303 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
304 |
last_name = String(required=True, fulltextindexed=True) |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
305 |
first_name = String(required=True, fulltextindexed=True) |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
306 |
title = String(vocabulary=('Mr', 'Mrs', 'Miss')) |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
307 |
date_of_birth = Date() |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
308 |
works_for = SubjectRelation('Company', cardinality='?*') |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
309 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
310 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
311 |
The entity described above defines three attributes of type String, |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
312 |
last_name, first_name and title, an attribute of type Date for the date of |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
313 |
birth and a relation that connects a `Person` to another entity of type |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
314 |
`Company` through the semantic `works_for`. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
315 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
316 |
The name of the Python attribute corresponds to the name of the attribute |
2175
16d3c37c5d28
[doc] improvements
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
2172
diff
changeset
|
317 |
or the relation in *CubicWeb* application. |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
318 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
319 |
An attribute is defined in the schema as follows:: |
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
320 |
|
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
321 |
attr_name = attr_type(properties*) |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
322 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
323 |
where `attr_type` is one of the type listed above and `properties` is |
3283 | 324 |
a list of the attribute needs to statisfy (see :ref:`properties` |
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
325 |
for more details). |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
326 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
327 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
328 |
* relations can be defined by using `ObjectRelation` or `SubjectRelation`. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
329 |
The first argument of `SubjectRelation` or `ObjectRelation` gives respectively |
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
330 |
the object/subject entity type of the relation. This could be : |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
331 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
332 |
* a string corresponding to an entity type |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
333 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
334 |
* a tuple of string corresponding to multiple entity types |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
335 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
336 |
* special string such as follows : |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
337 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
338 |
- "**" : all types of entities |
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
339 |
- "*" : all types of non-meta entities |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
340 |
- "@" : all types of meta entities but not system entities (e.g. used for |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
341 |
the basic schema description) |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
342 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
343 |
* it is possible to use the attribute `meta` to flag an entity type as a `meta` |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
344 |
(e.g. used to describe/categorize other entities) |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
345 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
346 |
Inheritance |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
347 |
``````````` |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
348 |
XXX feed me |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
349 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
350 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
351 |
Definition of relations |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
352 |
~~~~~~~~~~~~~~~~~~~~~~~ |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
353 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
354 |
XXX add note about defining relation type / definition |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
355 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
356 |
A relation is defined by a Python class heriting `RelationType`. The name |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
357 |
of the class corresponds to the name of the type. The class then contains |
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
358 |
a description of the properties of this type of relation, and could as well |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
359 |
contain a string for the subject and a string for the object. This allows to create |
2172
cf8f9180e63e
delete-trailing-whitespace
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
1714
diff
changeset
|
360 |
new definition of associated relations, (so that the class can have the |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
361 |
definition properties from the relation) for example :: |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
362 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
363 |
class locked_by(RelationType): |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
364 |
"""relation on all entities indicating that they are locked""" |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
365 |
inlined = True |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
366 |
cardinality = '?*' |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
367 |
subject = '*' |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
368 |
object = 'CWUser' |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
369 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
370 |
In the case of simultaneous relations definitions, `subject` and `object` |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
371 |
can both be equal to the value of the first argument of `SubjectRelation` |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
372 |
and `ObjectRelation`. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
373 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
374 |
When a relation is not inlined and not symmetrical, and it does not require |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
375 |
specific permissions, its definition (by using `SubjectRelation` and |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
376 |
`ObjectRelation`) is all we need. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
377 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
378 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
379 |
Definition of permissions |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
380 |
~~~~~~~~~~~~~~~~~~~~~~~~~~ |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
381 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
382 |
In addition to that the entity type `CWPermission` from the standard library |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
383 |
allow to build very complex and dynamic security architecture. The schema of |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
384 |
this entity type is as follow : :: |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
385 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
386 |
class CWPermission(MetaEntityType): |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
387 |
"""entity type that may be used to construct some advanced security configuration |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
388 |
""" |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
389 |
name = String(required=True, indexed=True, internationalizable=True, maxsize=100) |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
390 |
require_group = SubjectRelation('CWGroup', cardinality='+*', |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
391 |
description=_('groups to which the permission is granted')) |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
392 |
require_state = SubjectRelation('State', |
3144
a5deac822a13
Bugfix: message was not written in english
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
2476
diff
changeset
|
393 |
description=_("entity's state in which the permission is applicable")) |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
394 |
# can be used on any entity |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
395 |
require_permission = ObjectRelation('**', cardinality='*1', composite='subject', |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
396 |
description=_("link a permission to the entity. This " |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
397 |
"permission should be used in the security " |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
398 |
"definition of the entity's type to be useful.")) |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
399 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
400 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
401 |
Example of configuration :: |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
402 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
403 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
404 |
... |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
405 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
406 |
class Version(EntityType): |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
407 |
"""a version is defining the content of a particular project's release""" |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
408 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
409 |
permissions = {'read': ('managers', 'users', 'guests',), |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
410 |
'update': ('managers', 'logilab', 'owners',), |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
411 |
'delete': ('managers', ), |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
412 |
'add': ('managers', 'logilab', |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
413 |
ERQLExpression('X version_of PROJ, U in_group G,' |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
414 |
'PROJ require_permission P, P name "add_version",' |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
415 |
'P require_group G'),)} |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
416 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
417 |
... |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
418 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
419 |
class version_of(RelationType): |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
420 |
"""link a version to its project. A version is necessarily linked to one and only one project. |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
421 |
""" |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
422 |
permissions = {'read': ('managers', 'users', 'guests',), |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
423 |
'delete': ('managers', ), |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
424 |
'add': ('managers', 'logilab', |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
425 |
RRQLExpression('O require_permission P, P name "add_version",' |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
426 |
'U in_group G, P require_group G'),) |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
427 |
} |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
428 |
inlined = True |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
429 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
430 |
This configuration indicates that an entity `CWPermission` named |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
431 |
"add_version" can be associated to a project and provides rights to create |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
432 |
new versions on this project to specific groups. It is important to notice that : |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
433 |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
434 |
* in such case, we have to protect both the entity type "Version" and the relation |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
435 |
associating a version to a project ("version_of") |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
436 |
|
3283 | 437 |
* because of the genericity of the entity type `CWPermission`, we have to execute |
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
438 |
a unification with the groups and/or the states if necessary in the expression |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
439 |
("U in_group G, P require_group G" in the above example) |