schemas/__init__.py
author Sylvain Thénault <sylvain.thenault@logilab.fr>
Thu, 13 Feb 2014 13:58:28 +0100
changeset 9954 79d34ba48612
parent 7797 a71618a75b53
permissions -rw-r--r--
[CWEP002] refactor rql read security checking Split 'check_read_perms' into 'check_relations_perms' which checks relations 'read' permissions and 'get_local_checks' which build dictionary of local security checks (rql expression) for variables. This allows to check relations 'read' permissions earlier in the process and so to prepare insertion of the rql rewriter: we want to check permissions of the computed relation, not permissions of relations introduced by the associated rule, to conform to the CWEP. Related to #3546717
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
7780
a1d5365fefc1 [cubification] moved CWPermission handling into a localperms cube. closes #1914011
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5424
diff changeset
     1
# copyright 2003-2011 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
5421
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4759
diff changeset
     2
# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4759
diff changeset
     3
#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4759
diff changeset
     4
# This file is part of CubicWeb.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4759
diff changeset
     5
#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4759
diff changeset
     6
# CubicWeb is free software: you can redistribute it and/or modify it under the
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4759
diff changeset
     7
# terms of the GNU Lesser General Public License as published by the Free
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4759
diff changeset
     8
# Software Foundation, either version 2.1 of the License, or (at your option)
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4759
diff changeset
     9
# any later version.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4759
diff changeset
    10
#
5424
8ecbcbff9777 replace logilab-common by CubicWeb in disclaimer
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5421
diff changeset
    11
# CubicWeb is distributed in the hope that it will be useful, but WITHOUT
5421
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4759
diff changeset
    12
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4759
diff changeset
    13
# FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4759
diff changeset
    14
# details.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4759
diff changeset
    15
#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4759
diff changeset
    16
# You should have received a copy of the GNU Lesser General Public License along
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4759
diff changeset
    17
# with CubicWeb.  If not, see <http://www.gnu.org/licenses/>.
7780
a1d5365fefc1 [cubification] moved CWPermission handling into a localperms cube. closes #1914011
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5424
diff changeset
    18
"""some constants and classes to define schema permissions"""
4243
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    19
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    20
__docformat__ = "restructuredtext en"
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    21
4754
6bf17f810975 [schema] new constants for permissions definitions
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4243
diff changeset
    22
from cubicweb.schema import RO_REL_PERMS, RO_ATTR_PERMS, \
6bf17f810975 [schema] new constants for permissions definitions
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4243
diff changeset
    23
     PUB_SYSTEM_ENTITY_PERMS, PUB_SYSTEM_REL_PERMS, \
6bf17f810975 [schema] new constants for permissions definitions
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4243
diff changeset
    24
     ERQLExpression, RRQLExpression
4243
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    25
2502
324ec2056d56 document
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2501
diff changeset
    26
# permissions for "meta" entity type (readable by anyone, can only be
324ec2056d56 document
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2501
diff changeset
    27
# added/deleted by managers)
4754
6bf17f810975 [schema] new constants for permissions definitions
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4243
diff changeset
    28
META_ETYPE_PERMS = PUB_SYSTEM_ENTITY_PERMS # XXX deprecates
2502
324ec2056d56 document
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2501
diff changeset
    29
# permissions for "meta" relation type (readable by anyone, can only be
324ec2056d56 document
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2501
diff changeset
    30
# added/deleted by managers)
4754
6bf17f810975 [schema] new constants for permissions definitions
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4243
diff changeset
    31
META_RTYPE_PERMS = PUB_SYSTEM_REL_PERMS # XXX deprecates
2501
fa86d99c2c3a test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2141
diff changeset
    32
# permissions for relation type that should only set by hooks using unsafe
fa86d99c2c3a test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2141
diff changeset
    33
# execute, readable by anyone
4754
6bf17f810975 [schema] new constants for permissions definitions
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4243
diff changeset
    34
HOOKS_RTYPE_PERMS = RO_REL_PERMS # XXX deprecates
4243
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    35
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    36
7780
a1d5365fefc1 [cubification] moved CWPermission handling into a localperms cube. closes #1914011
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5424
diff changeset
    37
from logilab.common.modutils import LazyObject
a1d5365fefc1 [cubification] moved CWPermission handling into a localperms cube. closes #1914011
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5424
diff changeset
    38
from logilab.common.deprecation import deprecated
a1d5365fefc1 [cubification] moved CWPermission handling into a localperms cube. closes #1914011
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5424
diff changeset
    39
class MyLazyObject(LazyObject):
4243
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    40
7780
a1d5365fefc1 [cubification] moved CWPermission handling into a localperms cube. closes #1914011
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5424
diff changeset
    41
    def _getobj(self):
a1d5365fefc1 [cubification] moved CWPermission handling into a localperms cube. closes #1914011
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5424
diff changeset
    42
        try:
a1d5365fefc1 [cubification] moved CWPermission handling into a localperms cube. closes #1914011
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5424
diff changeset
    43
            return super(MyLazyObject, self)._getobj()
a1d5365fefc1 [cubification] moved CWPermission handling into a localperms cube. closes #1914011
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5424
diff changeset
    44
        except ImportError:
a1d5365fefc1 [cubification] moved CWPermission handling into a localperms cube. closes #1914011
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5424
diff changeset
    45
            raise ImportError('In cubicweb 3.14, function %s has been moved to '
a1d5365fefc1 [cubification] moved CWPermission handling into a localperms cube. closes #1914011
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5424
diff changeset
    46
                              'cube localperms. Install it first.' % self.obj)
4243
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    47
7780
a1d5365fefc1 [cubification] moved CWPermission handling into a localperms cube. closes #1914011
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5424
diff changeset
    48
for name in ('xperm', 'xexpr', 'xrexpr', 'xorexpr', 'sexpr', 'restricted_sexpr',
a1d5365fefc1 [cubification] moved CWPermission handling into a localperms cube. closes #1914011
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5424
diff changeset
    49
             'restricted_oexpr', 'oexpr', 'relxperm', 'relxexpr', '_perm'):
a1d5365fefc1 [cubification] moved CWPermission handling into a localperms cube. closes #1914011
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5424
diff changeset
    50
    msg = '[3.14] import %s from cubes.localperms' % name
7789
1c8d6eec4c25 [deprecation] specify name/doc to deprecated else it's fetched from the object, which has then to be importable. Cleanup debian/control dependancy on the way (needs lgc 0.56.3 api)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 7780
diff changeset
    51
    globals()[name] = deprecated(msg, name=name, doc='deprecated')(MyLazyObject('cubes.localperms', name))