doc/tutorials/advanced/part02_security.rst
author Laurent Peuch <cortex@worlddomination.be>
Thu, 21 Feb 2019 15:16:22 +0100
changeset 12383 2dee7a944b3a
parent 12382 c73da3aa84cc
child 12384 b2e0b6a8f76c
permissions -rw-r--r--
[doc] default tests template has changed
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
     1
.. _TutosPhotoWebSiteSecurity:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
     2
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
     3
Security, testing and migration
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
     4
-------------------------------
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
     5
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
     6
This part will cover various topics:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
     7
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
     8
* configuring security
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
     9
* migrating existing instance
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    10
* writing some unit tests
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    11
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    12
Here is the ``read`` security model I want:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    13
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    14
* folders, files, images and comments should have one of the following visibility:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    15
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    16
  - ``public``, everyone can see it
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    17
  - ``authenticated``, only authenticated users can see it
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    18
  - ``restricted``, only a subset of authenticated users can see it
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    19
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    20
* managers (e.g. me) can see everything
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    21
* only authenticated users can see people
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    22
* everyone can see classifier entities, such as tag and zone
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    23
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    24
Also, unless explicitly specified, the visibility of an image should be the same as
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    25
its parent folder, as well as visibility of a comment should be the same as the
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    26
commented entity. If there is no parent entity, the default visibility is
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    27
``authenticated``.
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    28
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    29
Regarding write security, that's much easier:
12381
a383091bdea8 [doc] rst syntax bug, blank line needed before item list
Laurent Peuch <cortex@worlddomination.be>
parents: 12209
diff changeset
    30
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    31
* anonymous can't write anything
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    32
* authenticated users can only add comment
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    33
* managers will add the remaining stuff
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    34
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    35
Now, let's implement that!
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    36
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    37
Proper security in CubicWeb is done at the schema level, so you don't have to
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    38
bother with it in views: users will only see what they can see automatically.
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    39
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    40
.. _adv_tuto_security:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    41
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    42
Step 1: configuring security into the schema
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    43
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    44
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    45
In schema, you can grant access according to groups, or to some RQL expressions:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    46
users get access if the expression returns some results. To implement the read
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    47
security defined earlier, groups are not enough, we'll need some RQL expression. Here
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    48
is the idea:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    49
6923
327443ec7120 [doc] update photo web site tutorial: we're starting from cw 3.10/file 1.9+
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 6876
diff changeset
    50
* add a `visibility` attribute on Folder, File and Comment, which may be one of
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    51
  the value explained above
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    52
6923
327443ec7120 [doc] update photo web site tutorial: we're starting from cw 3.10/file 1.9+
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 6876
diff changeset
    53
* add a `may_be_read_by` relation from Folder, File and Comment to users,
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    54
  which will define who can see the entity
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    55
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    56
* security propagation will be done in hook.
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    57
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    58
So the first thing to do is to modify my cube's schema.py to define those
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    59
relations:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    60
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    61
.. sourcecode:: python
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    62
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    63
    from yams.constraints import StaticVocabularyConstraint
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    64
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    65
    class visibility(RelationDefinition):
6923
327443ec7120 [doc] update photo web site tutorial: we're starting from cw 3.10/file 1.9+
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 6876
diff changeset
    66
	subject = ('Folder', 'File', 'Comment')
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    67
	object = 'String'
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    68
	constraints = [StaticVocabularyConstraint(('public', 'authenticated',
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    69
						   'restricted', 'parent'))]
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    70
	default = 'parent'
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    71
	cardinality = '11' # required
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    72
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    73
    class may_be_read_by(RelationDefinition):
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    74
        __permissions__ = {
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    75
	    'read':   ('managers', 'users'),
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    76
	    'add':    ('managers',),
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    77
	    'delete': ('managers',),
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    78
	    }
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    79
6923
327443ec7120 [doc] update photo web site tutorial: we're starting from cw 3.10/file 1.9+
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 6876
diff changeset
    80
	subject = ('Folder', 'File', 'Comment',)
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    81
	object = 'CWUser'
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    82
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    83
We can note the following points:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    84
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    85
* we've added a new `visibility` attribute to folder, file, image and comment
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    86
  using a `RelationDefinition`
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    87
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    88
* `cardinality = '11'` means this attribute is required. This is usually hidden
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    89
  under the `required` argument given to the `String` constructor, but we can
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    90
  rely on this here (same thing for StaticVocabularyConstraint, which is usually
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    91
  hidden by the `vocabulary` argument)
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    92
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    93
* the `parent` possible value will be used for visibility propagation
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    94
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    95
* think to secure the `may_be_read_by` permissions, else any user can add/delete it
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    96
  by default, which somewhat breaks our security model...
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    97
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    98
Now, we should be able to define security rules in the schema, based on these new
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    99
attribute and relation. Here is the code to add to *schema.py*:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   100
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   101
.. sourcecode:: python
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   102
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   103
    from cubicweb.schema import ERQLExpression
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   104
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   105
    VISIBILITY_PERMISSIONS = {
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   106
	'read':   ('managers',
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   107
		   ERQLExpression('X visibility "public"'),
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   108
		   ERQLExpression('X may_be_read_by U')),
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   109
	'add':    ('managers',),
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   110
	'update': ('managers', 'owners',),
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   111
	'delete': ('managers', 'owners'),
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   112
	}
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   113
    AUTH_ONLY_PERMISSIONS = {
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   114
	    'read':   ('managers', 'users'),
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   115
	    'add':    ('managers',),
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   116
	    'update': ('managers', 'owners',),
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   117
	    'delete': ('managers', 'owners'),
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   118
	    }
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   119
    CLASSIFIERS_PERMISSIONS = {
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   120
	    'read':   ('managers', 'users', 'guests'),
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   121
	    'add':    ('managers',),
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   122
	    'update': ('managers', 'owners',),
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   123
	    'delete': ('managers', 'owners'),
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   124
	    }
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   125
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   126
    from cubes.folder.schema import Folder
6923
327443ec7120 [doc] update photo web site tutorial: we're starting from cw 3.10/file 1.9+
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 6876
diff changeset
   127
    from cubes.file.schema import File
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   128
    from cubes.comment.schema import Comment
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   129
    from cubes.person.schema import Person
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   130
    from cubes.zone.schema import Zone
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   131
    from cubes.tag.schema import Tag
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   132
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   133
    Folder.__permissions__ = VISIBILITY_PERMISSIONS
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   134
    File.__permissions__ = VISIBILITY_PERMISSIONS
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   135
    Comment.__permissions__ = VISIBILITY_PERMISSIONS.copy()
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   136
    Comment.__permissions__['add'] = ('managers', 'users',)
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   137
    Person.__permissions__ = AUTH_ONLY_PERMISSIONS
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   138
    Zone.__permissions__ = CLASSIFIERS_PERMISSIONS
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   139
    Tag.__permissions__ = CLASSIFIERS_PERMISSIONS
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   140
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   141
What's important in there:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   142
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   143
* `VISIBILITY_PERMISSIONS` provides read access to managers group, if
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   144
  `visibility` attribute's value is 'public', or if user (designed by the 'U'
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   145
  variable in the expression) is linked to the entity (the 'X' variable) through
9881
3c2202e7bd31 [doc/book] spelling fixes in security tutorial
Julien Cristau <julien.cristau@logilab.fr>
parents: 9878
diff changeset
   146
  the `may_be_read_by` permission
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   147
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   148
* we modify permissions of the entity types we use by importing them and
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   149
  modifying their `__permissions__` attribute
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   150
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   151
* notice the `.copy()`: we only want to modify 'add' permission for `Comment`,
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   152
  not for all entity types using `VISIBILITY_PERMISSIONS`!
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   153
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   154
* the remaining part of the security model is done using regular groups:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   155
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   156
  - `users` is the group to which all authenticated users will belong
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   157
  - `guests` is the group of anonymous users
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   158
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   159
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   160
.. _adv_tuto_security_propagation:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   161
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   162
Step 2: security propagation in hooks
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   163
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   164
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   165
To fullfill the requirements, we have to implement::
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   166
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   167
  Also, unless explicity specified, visibility of an image should be the same as
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   168
  its parent folder, as well as visibility of a comment should be the same as the
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   169
  commented entity.
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   170
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   171
This kind of `active` rule will be done using CubicWeb's hook
9881
3c2202e7bd31 [doc/book] spelling fixes in security tutorial
Julien Cristau <julien.cristau@logilab.fr>
parents: 9878
diff changeset
   172
system. Hooks are triggered on database events such as addition of a new
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   173
entity or relation.
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   174
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   175
The tricky part of the requirement is in *unless explicitly specified*, notably
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   176
because when the entity is added, we don't know yet its 'parent'
6923
327443ec7120 [doc] update photo web site tutorial: we're starting from cw 3.10/file 1.9+
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 6876
diff changeset
   177
entity (e.g. Folder of an File, File commented by a Comment). To handle such things,
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   178
CubicWeb provides `Operation`, which allow to schedule things to do at commit time.
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   179
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   180
In our case we will:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   181
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   182
* on entity creation, schedule an operation that will set default visibility
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   183
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   184
* when a "parent" relation is added, propagate parent's visibility unless the
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   185
  child already has a visibility set
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   186
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   187
Here is the code in cube's *hooks.py*:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   188
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   189
.. sourcecode:: python
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   190
8190
2a3c1b787688 [vreg] move base registry implementation to logilab.common. Closes #1916014
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 7286
diff changeset
   191
    from cubicweb.predicates import is_instance
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   192
    from cubicweb.server import hook
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   193
7286
a0d3ea01f4bf [doc] fix doc and tutorials about hooks and operations
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents: 6923
diff changeset
   194
    class SetVisibilityOp(hook.DataOperationMixIn, hook.Operation):
a0d3ea01f4bf [doc] fix doc and tutorials about hooks and operations
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents: 6923
diff changeset
   195
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   196
	def precommit_event(self):
7286
a0d3ea01f4bf [doc] fix doc and tutorials about hooks and operations
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents: 6923
diff changeset
   197
	    for eid in self.get_data():
12209
3a3551fff787 [doc] Update the advanced tutorial
Olivier Giorgis <olivier.giorgis@logilab.fr>
parents: 10491
diff changeset
   198
		entity = self.cnx.entity_from_eid(eid)
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   199
		if entity.visibility == 'parent':
8483
4ba11607d84a [entity api] unify set_attributes / set_relations into a cw_set method. Closes #2423719
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8190
diff changeset
   200
		    entity.cw_set(visibility=u'authenticated')
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   201
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   202
    class SetVisibilityHook(hook.Hook):
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   203
	__regid__ = 'sytweb.setvisibility'
6923
327443ec7120 [doc] update photo web site tutorial: we're starting from cw 3.10/file 1.9+
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 6876
diff changeset
   204
	__select__ = hook.Hook.__select__ & is_instance('Folder', 'File', 'Comment')
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   205
	events = ('after_add_entity',)
7286
a0d3ea01f4bf [doc] fix doc and tutorials about hooks and operations
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents: 6923
diff changeset
   206
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   207
	def __call__(self):
7286
a0d3ea01f4bf [doc] fix doc and tutorials about hooks and operations
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents: 6923
diff changeset
   208
	    SetVisibilityOp.get_instance(self._cw).add_data(self.entity.eid)
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   209
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   210
    class SetParentVisibilityHook(hook.Hook):
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   211
	__regid__ = 'sytweb.setparentvisibility'
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   212
	__select__ = hook.Hook.__select__ & hook.match_rtype('filed_under', 'comments')
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   213
	events = ('after_add_relation',)
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   214
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   215
	def __call__(self):
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   216
	    parent = self._cw.entity_from_eid(self.eidto)
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   217
	    child = self._cw.entity_from_eid(self.eidfrom)
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   218
	    if child.visibility == 'parent':
8483
4ba11607d84a [entity api] unify set_attributes / set_relations into a cw_set method. Closes #2423719
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 8190
diff changeset
   219
		child.cw_set(visibility=parent.visibility)
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   220
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   221
Notice:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   222
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   223
* hooks are application objects, hence have selectors that should match entity or
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   224
  relation types to which the hook applies. To match a relation type, we use the
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   225
  hook specific `match_rtype` selector.
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   226
9881
3c2202e7bd31 [doc/book] spelling fixes in security tutorial
Julien Cristau <julien.cristau@logilab.fr>
parents: 9878
diff changeset
   227
* usage of `DataOperationMixIn`: instead of adding an operation for each added entity,
3c2202e7bd31 [doc/book] spelling fixes in security tutorial
Julien Cristau <julien.cristau@logilab.fr>
parents: 9878
diff changeset
   228
  DataOperationMixIn allows to create a single one and to store entity's eids to be
3c2202e7bd31 [doc/book] spelling fixes in security tutorial
Julien Cristau <julien.cristau@logilab.fr>
parents: 9878
diff changeset
   229
  processed in the transaction data. This is a good pratice to avoid heavy
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   230
  operations manipulation cost when creating a lot of entities in the same
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   231
  transaction.
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   232
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   233
* the `precommit_event` method of the operation will be called at transaction's
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   234
  commit time.
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   235
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   236
* in a hook, `self._cw` is the repository session, not a web request as usually
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   237
  in views
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   238
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   239
* according to hook's event, you have access to different attributes on the hook
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   240
  instance. Here:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   241
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   242
  - `self.entity` is the newly added entity on 'after_add_entity' events
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   243
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   244
  - `self.eidfrom` / `self.eidto` are the eid of the subject / object entity on
7286
a0d3ea01f4bf [doc] fix doc and tutorials about hooks and operations
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents: 6923
diff changeset
   245
    'after_add_relation' events (you may also get the relation type using
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   246
    `self.rtype`)
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   247
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   248
The `parent` visibility value is used to tell "propagate using parent security"
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   249
because we want that attribute to be required, so we can't use None value else
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   250
we'll get an error before we get any chance to propagate...
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   251
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   252
Now, we also want to propagate the `may_be_read_by` relation. Fortunately,
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   253
CubicWeb provides some base hook classes for such things, so we only have to add
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   254
the following code to *hooks.py*:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   255
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   256
.. sourcecode:: python
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   257
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   258
    # relations where the "parent" entity is the subject
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   259
    S_RELS = set()
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   260
    # relations where the "parent" entity is the object
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   261
    O_RELS = set(('filed_under', 'comments',))
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   262
9391
5537c3b64841 [book] replace PropagateSubjectRelation*Hook references
Samuel Trégouët <samuel.tregouet@logilab.fr>
parents: 8483
diff changeset
   263
    class AddEntitySecurityPropagationHook(hook.PropagateRelationHook):
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   264
	"""propagate permissions when new entity are added"""
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   265
	__regid__ = 'sytweb.addentity_security_propagation'
9391
5537c3b64841 [book] replace PropagateSubjectRelation*Hook references
Samuel Trégouët <samuel.tregouet@logilab.fr>
parents: 8483
diff changeset
   266
	__select__ = (hook.PropagateRelationHook.__select__
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   267
		      & hook.match_rtype_sets(S_RELS, O_RELS))
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   268
	main_rtype = 'may_be_read_by'
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   269
	subject_relations = S_RELS
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   270
	object_relations = O_RELS
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   271
9391
5537c3b64841 [book] replace PropagateSubjectRelation*Hook references
Samuel Trégouët <samuel.tregouet@logilab.fr>
parents: 8483
diff changeset
   272
    class AddPermissionSecurityPropagationHook(hook.PropagateRelationAddHook):
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   273
	"""propagate permissions when new entity are added"""
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   274
	__regid__ = 'sytweb.addperm_security_propagation'
9391
5537c3b64841 [book] replace PropagateSubjectRelation*Hook references
Samuel Trégouët <samuel.tregouet@logilab.fr>
parents: 8483
diff changeset
   275
	__select__ = (hook.PropagateRelationAddHook.__select__
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   276
		      & hook.match_rtype('may_be_read_by',))
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   277
	subject_relations = S_RELS
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   278
	object_relations = O_RELS
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   279
9391
5537c3b64841 [book] replace PropagateSubjectRelation*Hook references
Samuel Trégouët <samuel.tregouet@logilab.fr>
parents: 8483
diff changeset
   280
    class DelPermissionSecurityPropagationHook(hook.PropagateRelationDelHook):
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   281
	__regid__ = 'sytweb.delperm_security_propagation'
9391
5537c3b64841 [book] replace PropagateSubjectRelation*Hook references
Samuel Trégouët <samuel.tregouet@logilab.fr>
parents: 8483
diff changeset
   282
	__select__ = (hook.PropagateRelationDelHook.__select__
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   283
		      & hook.match_rtype('may_be_read_by',))
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   284
	subject_relations = S_RELS
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   285
	object_relations = O_RELS
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   286
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   287
* the `AddEntitySecurityPropagationHook` will propagate the relation
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   288
  when `filed_under` or `comments` relations are added
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   289
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   290
  - the `S_RELS` and `O_RELS` set as well as the `match_rtype_sets` selector are
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   291
    used here so that if my cube is used by another one, it'll be able to
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   292
    configure security propagation by simply adding relation to one of the two
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   293
    sets.
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   294
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   295
* the two others will propagate permissions changes on parent entities to
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   296
  children entities
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   297
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   298
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   299
.. _adv_tuto_tesing_security:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   300
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   301
Step 3: testing our security
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   302
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   303
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   304
Security is tricky. Writing some tests for it is a very good idea. You should
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   305
even write them first, as Test Driven Development recommends!
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   306
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   307
Here is a small test case that will check the basis of our security
12382
c73da3aa84cc [doc] default generated filename as changed
Laurent Peuch <cortex@worlddomination.be>
parents: 12381
diff changeset
   308
model, in :file:`test/test_sytweb.py`:
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   309
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   310
.. sourcecode:: python
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   311
12383
2dee7a944b3a [doc] default tests template has changed
Laurent Peuch <cortex@worlddomination.be>
parents: 12382
diff changeset
   312
    from cubicweb.devtools import testlib
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   313
    from cubicweb import Binary
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   314
12383
2dee7a944b3a [doc] default tests template has changed
Laurent Peuch <cortex@worlddomination.be>
parents: 12382
diff changeset
   315
    class SecurityTC(testlib.CubicWebTC):
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   316
10383
53d7cf6f0b84 [doc] fix errors in test_visibility_propagation example
Rabah Meradi <rabah.meradi@logilab.fr>
parents: 10376
diff changeset
   317
        def test_visibility_propagation(self):
9878
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   318
            with self.admin_access.repo_cnx() as cnx:
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   319
                # create a user for later security checks
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   320
                toto = self.create_user(cnx, 'toto')
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   321
                cnx.commit()
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   322
                # init some data using the default manager connection
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   323
                folder = cnx.create_entity('Folder',
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   324
                                           name=u'restricted',
10383
53d7cf6f0b84 [doc] fix errors in test_visibility_propagation example
Rabah Meradi <rabah.meradi@logilab.fr>
parents: 10376
diff changeset
   325
                                           visibility=u'restricted')
9878
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   326
                photo1 = cnx.create_entity('File',
10383
53d7cf6f0b84 [doc] fix errors in test_visibility_propagation example
Rabah Meradi <rabah.meradi@logilab.fr>
parents: 10376
diff changeset
   327
                                           data_name=u'photo1.jpg',
9878
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   328
                                           data=Binary('xxx'),
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   329
                                           filed_under=folder)
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   330
                cnx.commit()
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   331
                # visibility propagation
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   332
                self.assertEquals(photo1.visibility, 'restricted')
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   333
                # unless explicitly specified
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   334
                photo2 = cnx.create_entity('File',
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   335
                                           data_name=u'photo2.jpg',
10383
53d7cf6f0b84 [doc] fix errors in test_visibility_propagation example
Rabah Meradi <rabah.meradi@logilab.fr>
parents: 10376
diff changeset
   336
                                           data=Binary('xxx'),
53d7cf6f0b84 [doc] fix errors in test_visibility_propagation example
Rabah Meradi <rabah.meradi@logilab.fr>
parents: 10376
diff changeset
   337
                                           visibility=u'public',
53d7cf6f0b84 [doc] fix errors in test_visibility_propagation example
Rabah Meradi <rabah.meradi@logilab.fr>
parents: 10376
diff changeset
   338
                                           filed_under=folder)
9878
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   339
                cnx.commit()
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   340
                self.assertEquals(photo2.visibility, 'public')
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   341
            with self.new_access('toto').repo_cnx() as cnx:
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   342
                # test security
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   343
                self.assertEqual(1, len(cnx.execute('File X'))) # only the public one
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   344
                self.assertEqual(0, len(cnx.execute('Folder X'))) # restricted...
10383
53d7cf6f0b84 [doc] fix errors in test_visibility_propagation example
Rabah Meradi <rabah.meradi@logilab.fr>
parents: 10376
diff changeset
   345
            with self.admin_access.repo_cnx() as cnx:
9878
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   346
                # may_be_read_by propagation
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   347
                folder = cnx.entity_from_eid(folder.eid)
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   348
                folder.cw_set(may_be_read_by=toto)
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   349
                cnx.commit()
10383
53d7cf6f0b84 [doc] fix errors in test_visibility_propagation example
Rabah Meradi <rabah.meradi@logilab.fr>
parents: 10376
diff changeset
   350
            with self.new_access('toto').repo_cnx() as cnx:
53d7cf6f0b84 [doc] fix errors in test_visibility_propagation example
Rabah Meradi <rabah.meradi@logilab.fr>
parents: 10376
diff changeset
   351
                photo1 = cnx.entity_from_eid(photo1.eid)
9878
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   352
                self.failUnless(photo1.may_be_read_by)
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   353
                # test security with permissions
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   354
                self.assertEquals(2, len(cnx.execute('File X'))) # now toto has access to photo2
f3936f64bd98 [doc/book] update examples, using the new connection api
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 9391
diff changeset
   355
                self.assertEquals(1, len(cnx.execute('Folder X'))) # and to restricted folder
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   356
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   357
    if __name__ == '__main__':
12383
2dee7a944b3a [doc] default tests template has changed
Laurent Peuch <cortex@worlddomination.be>
parents: 12382
diff changeset
   358
        from unittest import main
2dee7a944b3a [doc] default tests template has changed
Laurent Peuch <cortex@worlddomination.be>
parents: 12382
diff changeset
   359
        main()
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   360
9881
3c2202e7bd31 [doc/book] spelling fixes in security tutorial
Julien Cristau <julien.cristau@logilab.fr>
parents: 9878
diff changeset
   361
It's not complete, but shows most things you'll want to do in tests: adding some
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   362
content, creating users and connecting as them in the test, etc...
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   363
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   364
To run it type:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   365
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   366
.. sourcecode:: bash
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   367
12209
3a3551fff787 [doc] Update the advanced tutorial
Olivier Giorgis <olivier.giorgis@logilab.fr>
parents: 10491
diff changeset
   368
    $ python test/unittest_sytweb.py
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   369
    ========================  unittest_sytweb.py  ========================
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   370
    -> creating tables [....................]
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   371
    -> inserting default user and default groups.
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   372
    -> storing the schema in the database [....................]
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   373
    -> database for instance data initialized.
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   374
    .
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   375
    ----------------------------------------------------------------------
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   376
    Ran 1 test in 22.547s
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   377
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   378
    OK
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   379
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   380
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   381
The first execution is taking time, since it creates a sqlite database for the
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   382
test instance. The second one will be much quicker:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   383
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   384
.. sourcecode:: bash
7286
a0d3ea01f4bf [doc] fix doc and tutorials about hooks and operations
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents: 6923
diff changeset
   385
12209
3a3551fff787 [doc] Update the advanced tutorial
Olivier Giorgis <olivier.giorgis@logilab.fr>
parents: 10491
diff changeset
   386
    $ python test/unittest_sytweb.py
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   387
    ========================  unittest_sytweb.py  ========================
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   388
    .
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   389
    ----------------------------------------------------------------------
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   390
    Ran 1 test in 2.662s
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   391
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   392
    OK
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   393
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   394
If you do some changes in your schema, you'll have to force regeneration of that
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   395
database. You do that by removing the tmpdb files before running the test: ::
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   396
9881
3c2202e7bd31 [doc/book] spelling fixes in security tutorial
Julien Cristau <julien.cristau@logilab.fr>
parents: 9878
diff changeset
   397
    $ rm data/database/tmpdb*
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   398
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   399
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   400
.. _adv_tuto_migration_script:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   401
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   402
Step 4: writing the migration script and migrating the instance
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   403
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   404
9881
3c2202e7bd31 [doc/book] spelling fixes in security tutorial
Julien Cristau <julien.cristau@logilab.fr>
parents: 9878
diff changeset
   405
Prior to those changes, I created an instance, fed it with some data, so I
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   406
don't want to create a new one, but to migrate the existing one. Let's see how to
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   407
do that.
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   408
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   409
Migration commands should be put in the cube's *migration* directory, in a
9881
3c2202e7bd31 [doc/book] spelling fixes in security tutorial
Julien Cristau <julien.cristau@logilab.fr>
parents: 9878
diff changeset
   410
file named file:`<X.Y.Z>_Any.py` ('Any' being there mostly for historical reasons).
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   411
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   412
Here I'll create a *migration/0.2.0_Any.py* file containing the following
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   413
instructions:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   414
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   415
.. sourcecode:: python
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   416
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   417
  add_relation_type('may_be_read_by')
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   418
  add_relation_type('visibility')
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   419
  sync_schema_props_perms()
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   420
9881
3c2202e7bd31 [doc/book] spelling fixes in security tutorial
Julien Cristau <julien.cristau@logilab.fr>
parents: 9878
diff changeset
   421
Then I update the version number in the cube's *__pkginfo__.py* to 0.2.0. And
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   422
that's it! Those instructions will:
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   423
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   424
* update the instance's schema by adding our two new relations and update the
9881
3c2202e7bd31 [doc/book] spelling fixes in security tutorial
Julien Cristau <julien.cristau@logilab.fr>
parents: 9878
diff changeset
   425
  underlying database tables accordingly (the first two instructions)
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   426
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   427
* update schema's permissions definition (the last instruction)
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   428
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   429
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   430
To migrate my instance I simply type::
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   431
10376
b566c8081832 [doc] the instance is sytweb_instance and sytweb is the cube
Rabah Meradi <rabah.meradi@logilab.fr>
parents: 9881
diff changeset
   432
   cubicweb-ctl upgrade sytweb_instance
6876
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   433
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   434
You'll then be asked some questions to do the migration step by step. You should say
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   435
YES when it asks if a backup of your database should be done, so you can get back
4b0b9d8207c5 [doc] backport part 3 & 4 of the sytweb's tutorial + to be published part 5
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
   436
to initial state if anything goes wrong...