author | Sylvain Thénault <sylvain.thenault@logilab.fr> |
Tue, 13 Oct 2009 15:59:47 +0200 | |
changeset 3657 | 706d7bf0ae3d |
parent 3376 | f5c69485381f |
child 3720 | 5376aaadd16b |
permissions | -rw-r--r-- |
0 | 1 |
"""Security hooks: check permissions to add/delete/update entities according to |
2 |
the user connected to a session |
|
3 |
||
4 |
:organization: Logilab |
|
1977
606923dff11b
big bunch of copyright / docstring update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1802
diff
changeset
|
5 |
:copyright: 2001-2009 LOGILAB S.A. (Paris, FRANCE), license is LGPL v2. |
0 | 6 |
:contact: http://www.logilab.fr/ -- mailto:contact@logilab.fr |
1977
606923dff11b
big bunch of copyright / docstring update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1802
diff
changeset
|
7 |
:license: GNU Lesser General Public License, v2.1 - http://www.gnu.org/licenses |
0 | 8 |
""" |
9 |
__docformat__ = "restructuredtext en" |
|
10 |
||
11 |
from cubicweb import Unauthorized |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
12 |
from cubicweb.server import BEFORE_ADD_RELATIONS, ON_COMMIT_ADD_RELATIONS, hook |
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
13 |
|
0 | 14 |
|
15 |
def check_entity_attributes(session, entity): |
|
16 |
eid = entity.eid |
|
17 |
eschema = entity.e_schema |
|
18 |
# ._default_set is only there on entity creation to indicate unspecified |
|
19 |
# attributes which has been set to a default value defined in the schema |
|
20 |
defaults = getattr(entity, '_default_set', ()) |
|
2647
b0a2e779845c
enable server side entity caching, 25% speedup on codenaf insertion. ALL CW TESTS OK
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
1977
diff
changeset
|
21 |
try: |
b0a2e779845c
enable server side entity caching, 25% speedup on codenaf insertion. ALL CW TESTS OK
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
1977
diff
changeset
|
22 |
editedattrs = entity.edited_attributes |
b0a2e779845c
enable server side entity caching, 25% speedup on codenaf insertion. ALL CW TESTS OK
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
1977
diff
changeset
|
23 |
except AttributeError: |
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
24 |
editedattrs = entity |
2647
b0a2e779845c
enable server side entity caching, 25% speedup on codenaf insertion. ALL CW TESTS OK
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
1977
diff
changeset
|
25 |
for attr in editedattrs: |
0 | 26 |
if attr in defaults: |
27 |
continue |
|
28 |
rschema = eschema.subject_relation(attr) |
|
29 |
if rschema.is_final(): # non final relation are checked by other hooks |
|
30 |
# add/delete should be equivalent (XXX: unify them into 'update' ?) |
|
31 |
rschema.check_perm(session, 'add', eid) |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
32 |
|
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
33 |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
34 |
class _CheckEntityPermissionOp(hook.LateOperation): |
0 | 35 |
def precommit_event(self): |
36 |
#print 'CheckEntityPermissionOp', self.session.user, self.entity, self.action |
|
37 |
self.entity.check_perm(self.action) |
|
38 |
check_entity_attributes(self.session, self.entity) |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
39 |
|
0 | 40 |
def commit_event(self): |
41 |
pass |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
42 |
|
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
43 |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
44 |
class _CheckRelationPermissionOp(hook.LateOperation): |
0 | 45 |
def precommit_event(self): |
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
46 |
self.rschema.check_perm(self.session, self.action, self.eidfrom, self.eidto) |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
47 |
|
0 | 48 |
def commit_event(self): |
49 |
pass |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
50 |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
51 |
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
52 |
class SecurityHook(hook.Hook): |
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
53 |
__abstract__ = True |
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
54 |
category = 'security' |
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
55 |
__select__ = hook.Hook.__select__ & hook.regular_session() |
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
56 |
|
0 | 57 |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
58 |
class AfterAddEntitySecurityHook(SecurityHook): |
3376
f5c69485381f
[appobjects] use __regid__ instead of __id__, more explicit
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2968
diff
changeset
|
59 |
__regid__ = 'securityafteraddentity' |
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
60 |
events = ('after_add_entity',) |
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
61 |
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
62 |
def __call__(self): |
2847
c2ee28f4d4b1
use ._cw instead of .cw_req
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2835
diff
changeset
|
63 |
_CheckEntityPermissionOp(self._cw, entity=self.entity, action='add') |
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
64 |
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
65 |
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
66 |
class AfterUpdateEntitySecurityHook(SecurityHook): |
3376
f5c69485381f
[appobjects] use __regid__ instead of __id__, more explicit
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2968
diff
changeset
|
67 |
__regid__ = 'securityafterupdateentity' |
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
68 |
events = ('after_update_entity',) |
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
69 |
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
70 |
def __call__(self): |
0 | 71 |
try: |
72 |
# check user has permission right now, if not retry at commit time |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
73 |
self.entity.check_perm('update') |
2847
c2ee28f4d4b1
use ._cw instead of .cw_req
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2835
diff
changeset
|
74 |
check_entity_attributes(self._cw, self.entity) |
0 | 75 |
except Unauthorized: |
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
76 |
self.entity.clear_local_perm_cache('update') |
2847
c2ee28f4d4b1
use ._cw instead of .cw_req
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2835
diff
changeset
|
77 |
_CheckEntityPermissionOp(self._cw, entity=self.entity, action='update') |
0 | 78 |
|
79 |
||
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
80 |
class BeforeDelEntitySecurityHook(SecurityHook): |
3376
f5c69485381f
[appobjects] use __regid__ instead of __id__, more explicit
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2968
diff
changeset
|
81 |
__regid__ = 'securitybeforedelentity' |
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
82 |
events = ('before_delete_entity',) |
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
83 |
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
84 |
def __call__(self): |
2895
903bd3f89f80
should directly use entity.check_perm now that we've an entity instance
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2847
diff
changeset
|
85 |
self.entity.check_perm('delete') |
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
86 |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
87 |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
88 |
class BeforeAddRelationSecurityHook(SecurityHook): |
3376
f5c69485381f
[appobjects] use __regid__ instead of __id__, more explicit
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2968
diff
changeset
|
89 |
__regid__ = 'securitybeforeaddrelation' |
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
90 |
events = ('before_add_relation',) |
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
91 |
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
92 |
def __call__(self): |
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
93 |
if self.rtype in BEFORE_ADD_RELATIONS: |
2968
0e3460341023
somewhat painful backport of 3.5 branch, should mostly be ok
Sylvain Thénault <sylvain.thenault@logilab.fr>
diff
changeset
|
94 |
nocheck = self._cw.transaction_data.get('skip-security', ()) |
0e3460341023
somewhat painful backport of 3.5 branch, should mostly be ok
Sylvain Thénault <sylvain.thenault@logilab.fr>
diff
changeset
|
95 |
if (self.eidfrom, self.rtype, self.eidto) in nocheck: |
0e3460341023
somewhat painful backport of 3.5 branch, should mostly be ok
Sylvain Thénault <sylvain.thenault@logilab.fr>
diff
changeset
|
96 |
return |
2847
c2ee28f4d4b1
use ._cw instead of .cw_req
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2835
diff
changeset
|
97 |
rschema = self._cw.repo.schema[self.rtype] |
c2ee28f4d4b1
use ._cw instead of .cw_req
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2835
diff
changeset
|
98 |
rschema.check_perm(self._cw, 'add', self.eidfrom, self.eidto) |
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
99 |
|
0 | 100 |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
101 |
class AfterAddRelationSecurityHook(SecurityHook): |
3376
f5c69485381f
[appobjects] use __regid__ instead of __id__, more explicit
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2968
diff
changeset
|
102 |
__regid__ = 'securityafteraddrelation' |
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
103 |
events = ('after_add_relation',) |
0 | 104 |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
105 |
def __call__(self): |
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
106 |
if not self.rtype in BEFORE_ADD_RELATIONS: |
2968
0e3460341023
somewhat painful backport of 3.5 branch, should mostly be ok
Sylvain Thénault <sylvain.thenault@logilab.fr>
diff
changeset
|
107 |
nocheck = self._cw.transaction_data.get('skip-security', ()) |
0e3460341023
somewhat painful backport of 3.5 branch, should mostly be ok
Sylvain Thénault <sylvain.thenault@logilab.fr>
diff
changeset
|
108 |
if (self.eidfrom, self.rtype, self.eidto) in nocheck: |
0e3460341023
somewhat painful backport of 3.5 branch, should mostly be ok
Sylvain Thénault <sylvain.thenault@logilab.fr>
diff
changeset
|
109 |
return |
2847
c2ee28f4d4b1
use ._cw instead of .cw_req
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2835
diff
changeset
|
110 |
rschema = self._cw.repo.schema[self.rtype] |
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
111 |
if self.rtype in ON_COMMIT_ADD_RELATIONS: |
2847
c2ee28f4d4b1
use ._cw instead of .cw_req
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2835
diff
changeset
|
112 |
_CheckRelationPermissionOp(self._cw, action='add', |
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
113 |
rschema=rschema, |
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
114 |
eidfrom=self.eidfrom, |
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
115 |
eidto=self.eidto) |
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
116 |
else: |
2847
c2ee28f4d4b1
use ._cw instead of .cw_req
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2835
diff
changeset
|
117 |
rschema.check_perm(self._cw, 'add', self.eidfrom, self.eidto) |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
118 |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
119 |
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
120 |
class BeforeDelRelationSecurityHook(SecurityHook): |
3376
f5c69485381f
[appobjects] use __regid__ instead of __id__, more explicit
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2968
diff
changeset
|
121 |
__regid__ = 'securitybeforedelrelation' |
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
122 |
events = ('before_delete_relation',) |
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
123 |
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
124 |
def __call__(self): |
2968
0e3460341023
somewhat painful backport of 3.5 branch, should mostly be ok
Sylvain Thénault <sylvain.thenault@logilab.fr>
diff
changeset
|
125 |
nocheck = self._cw.transaction_data.get('skip-security', ()) |
0e3460341023
somewhat painful backport of 3.5 branch, should mostly be ok
Sylvain Thénault <sylvain.thenault@logilab.fr>
diff
changeset
|
126 |
if (self.eidfrom, self.rtype, self.eidto) in nocheck: |
2920
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
127 |
return |
2847
c2ee28f4d4b1
use ._cw instead of .cw_req
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2835
diff
changeset
|
128 |
self._cw.repo.schema[self.rtype].check_perm(self._cw, 'delete', |
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
129 |
self.eidfrom, self.eidto) |
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
130 |