| author | Sylvain Thénault <sylvain.thenault@logilab.fr> |
| Thu, 19 Nov 2009 12:55:47 +0100 | |
| branch | reldefsecurity |
| changeset 3877 | 7ca53fc72a0a |
| parent 3689 | deb13e88e037 |
| permissions | -rw-r--r-- |
| 0 | 1 |
"""Security hooks: check permissions to add/delete/update entities according to |
2 |
the user connected to a session |
|
3 |
||
4 |
:organization: Logilab |
|
|
1977
606923dff11b
big bunch of copyright / docstring update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1802
diff
changeset
|
5 |
:copyright: 2001-2009 LOGILAB S.A. (Paris, FRANCE), license is LGPL v2. |
| 0 | 6 |
:contact: http://www.logilab.fr/ -- mailto:contact@logilab.fr |
|
1977
606923dff11b
big bunch of copyright / docstring update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1802
diff
changeset
|
7 |
:license: GNU Lesser General Public License, v2.1 - http://www.gnu.org/licenses |
| 0 | 8 |
""" |
9 |
__docformat__ = "restructuredtext en" |
|
10 |
||
11 |
from cubicweb import Unauthorized |
|
12 |
from cubicweb.server.pool import LateOperation |
|
13 |
from cubicweb.server import BEFORE_ADD_RELATIONS, ON_COMMIT_ADD_RELATIONS |
|
14 |
||
15 |
def check_entity_attributes(session, entity): |
|
16 |
eid = entity.eid |
|
17 |
eschema = entity.e_schema |
|
18 |
# ._default_set is only there on entity creation to indicate unspecified |
|
19 |
# attributes which has been set to a default value defined in the schema |
|
20 |
defaults = getattr(entity, '_default_set', ()) |
|
|
2647
b0a2e779845c
enable server side entity caching, 25% speedup on codenaf insertion. ALL CW TESTS OK
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
1977
diff
changeset
|
21 |
try: |
|
b0a2e779845c
enable server side entity caching, 25% speedup on codenaf insertion. ALL CW TESTS OK
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
1977
diff
changeset
|
22 |
editedattrs = entity.edited_attributes |
|
b0a2e779845c
enable server side entity caching, 25% speedup on codenaf insertion. ALL CW TESTS OK
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
1977
diff
changeset
|
23 |
except AttributeError: |
|
b0a2e779845c
enable server side entity caching, 25% speedup on codenaf insertion. ALL CW TESTS OK
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
1977
diff
changeset
|
24 |
editedattrs = entity.keys() |
|
b0a2e779845c
enable server side entity caching, 25% speedup on codenaf insertion. ALL CW TESTS OK
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
1977
diff
changeset
|
25 |
for attr in editedattrs: |
| 0 | 26 |
if attr in defaults: |
27 |
continue |
|
|
3877
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3689
diff
changeset
|
28 |
rdef = eschema.rdef(attr) |
|
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3689
diff
changeset
|
29 |
if rdef.final: # non final relation are checked by other hooks |
| 0 | 30 |
# add/delete should be equivalent (XXX: unify them into 'update' ?) |
|
3877
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3689
diff
changeset
|
31 |
rdef.check_perm(session, 'add', eid=eid) |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
32 |
|
|
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
33 |
|
| 0 | 34 |
class CheckEntityPermissionOp(LateOperation): |
35 |
def precommit_event(self): |
|
36 |
#print 'CheckEntityPermissionOp', self.session.user, self.entity, self.action |
|
37 |
self.entity.check_perm(self.action) |
|
38 |
check_entity_attributes(self.session, self.entity) |
|
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
39 |
|
| 0 | 40 |
def commit_event(self): |
41 |
pass |
|
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
42 |
|
|
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
43 |
|
| 0 | 44 |
class CheckRelationPermissionOp(LateOperation): |
45 |
def precommit_event(self): |
|
|
3877
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3689
diff
changeset
|
46 |
rdef = self.rschema.rdef(self.session.describe(self.fromeid)[0], |
|
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3689
diff
changeset
|
47 |
self.session.describe(self.toeid)[0]) |
|
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3689
diff
changeset
|
48 |
rdef.check_perm(self.session, self.action, |
|
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3689
diff
changeset
|
49 |
fromeid=self.fromeid, toeid=self.toeid) |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
50 |
|
| 0 | 51 |
def commit_event(self): |
52 |
pass |
|
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
53 |
|
| 0 | 54 |
def after_add_entity(session, entity): |
55 |
if not session.is_super_session: |
|
56 |
CheckEntityPermissionOp(session, entity=entity, action='add') |
|
57 |
||
58 |
def after_update_entity(session, entity): |
|
59 |
if not session.is_super_session: |
|
60 |
try: |
|
61 |
# check user has permission right now, if not retry at commit time |
|
62 |
entity.check_perm('update') |
|
63 |
check_entity_attributes(session, entity) |
|
64 |
except Unauthorized: |
|
|
475
b32a5772ff06
should clear local perm cache if first attempt failed
sylvain.thenault@logilab.fr
parents:
0
diff
changeset
|
65 |
entity.clear_local_perm_cache('update') |
| 0 | 66 |
CheckEntityPermissionOp(session, entity=entity, action='update') |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
67 |
|
| 0 | 68 |
def before_del_entity(session, eid): |
69 |
if not session.is_super_session: |
|
70 |
eschema = session.repo.schema[session.describe(eid)[0]] |
|
|
3877
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3689
diff
changeset
|
71 |
eschema.check_perm(session, 'delete', eid=eid) |
| 0 | 72 |
|
73 |
||
74 |
def before_add_relation(session, fromeid, rtype, toeid): |
|
75 |
if rtype in BEFORE_ADD_RELATIONS and not session.is_super_session: |
|
|
2920
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
76 |
nocheck = session.transaction_data.get('skip-security', ()) |
|
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
77 |
if (fromeid, rtype, toeid) in nocheck: |
|
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
78 |
return |
| 0 | 79 |
rschema = session.repo.schema[rtype] |
|
3877
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3689
diff
changeset
|
80 |
rdef = rschema.rdef(session.describe(fromeid)[0], |
|
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3689
diff
changeset
|
81 |
session.describe(toeid)[0]) |
|
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3689
diff
changeset
|
82 |
rdef.check_perm(session, 'add', fromeid=fromeid, toeid=toeid) |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
83 |
|
| 0 | 84 |
def after_add_relation(session, fromeid, rtype, toeid): |
85 |
if not rtype in BEFORE_ADD_RELATIONS and not session.is_super_session: |
|
|
2920
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
86 |
nocheck = session.transaction_data.get('skip-security', ()) |
|
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
87 |
if (fromeid, rtype, toeid) in nocheck: |
|
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
88 |
return |
|
3877
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3689
diff
changeset
|
89 |
rschema = session.repo.schema.rschema(rtype) |
| 0 | 90 |
if rtype in ON_COMMIT_ADD_RELATIONS: |
91 |
CheckRelationPermissionOp(session, action='add', rschema=rschema, |
|
92 |
fromeid=fromeid, toeid=toeid) |
|
93 |
else: |
|
|
3877
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3689
diff
changeset
|
94 |
rdef = rschema.rdef(session.describe(fromeid)[0], |
|
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3689
diff
changeset
|
95 |
session.describe(toeid)[0]) |
|
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3689
diff
changeset
|
96 |
rdef.check_perm(session, 'add', fromeid=fromeid, toeid=toeid) |
| 0 | 97 |
|
98 |
def before_del_relation(session, fromeid, rtype, toeid): |
|
99 |
if not session.is_super_session: |
|
|
2920
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
100 |
nocheck = session.transaction_data.get('skip-security', ()) |
|
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
101 |
if (fromeid, rtype, toeid) in nocheck: |
|
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
102 |
return |
|
3877
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3689
diff
changeset
|
103 |
rschema = session.vreg.schema.rschema(rtype) |
|
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3689
diff
changeset
|
104 |
rdef = rschema.rdef(session.describe(fromeid)[0], |
|
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3689
diff
changeset
|
105 |
session.describe(toeid)[0]) |
|
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3689
diff
changeset
|
106 |
rdef.check_perm(session, 'delete', fromeid=fromeid, toeid=toeid) |
| 0 | 107 |
|
108 |
def register_security_hooks(hm): |
|
109 |
"""register meta-data related hooks on the hooks manager""" |
|
110 |
hm.register_hook(after_add_entity, 'after_add_entity', '') |
|
111 |
hm.register_hook(after_update_entity, 'after_update_entity', '') |
|
112 |
hm.register_hook(before_del_entity, 'before_delete_entity', '') |
|
113 |
hm.register_hook(before_add_relation, 'before_add_relation', '') |
|
114 |
hm.register_hook(after_add_relation, 'after_add_relation', '') |
|
115 |
hm.register_hook(before_del_relation, 'before_delete_relation', '') |
|
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
116 |