cubicweb: hooks/security.py@8167de96c523 (annotated)

5421 8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	1	# copyright 2003-2010 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	2	# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	3	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	4	# This file is part of CubicWeb.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	5	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	6	# CubicWeb is free software: you can redistribute it and/or modify it under the
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	7	# terms of the GNU Lesser General Public License as published by the Free
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	8	# Software Foundation, either version 2.1 of the License, or (at your option)
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	9	# any later version.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	10	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	11	# logilab-common is distributed in the hope that it will be useful, but WITHOUT
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	12	# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	13	# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	14	# details.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	15	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	16	# You should have received a copy of the GNU Lesser General Public License along
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	17	# with CubicWeb. If not, see <http://www.gnu.org/licenses/>.
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	18	"""Security hooks: check permissions to add/delete/update entities according to
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	19	the user connected to a session
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	20
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	21	"""
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	22	__docformat__ = "restructuredtext en"
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	23
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	24	from cubicweb import Unauthorized
4835 13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	25	from cubicweb.selectors import objectify_selector, lltrace
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	26	from cubicweb.server import BEFORE_ADD_RELATIONS, ON_COMMIT_ADD_RELATIONS, hook
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	27
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	28
4577 049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	29	def check_entity_attributes(session, entity, editedattrs=None):
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	30	eid = entity.eid
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	31	eschema = entity.e_schema
4970 1f3d8946ea84 fix security issue introduced by 4967:04543ed0bbdc: attributes explicitly set by hooks should not be checked by security hooks Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4835 diff changeset	32	# .skip_security_attributes is there to bypass security for attributes
1f3d8946ea84 fix security issue introduced by 4967:04543ed0bbdc: attributes explicitly set by hooks should not be checked by security hooks Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4835 diff changeset	33	# set by hooks by modifying the entity's dictionnary
1f3d8946ea84 fix security issue introduced by 4967:04543ed0bbdc: attributes explicitly set by hooks should not be checked by security hooks Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4835 diff changeset	34	dontcheck = entity.skip_security_attributes
4577 049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	35	if editedattrs is None:
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	36	try:
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	37	editedattrs = entity.edited_attributes
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	38	except AttributeError:
4970 1f3d8946ea84 fix security issue introduced by 4967:04543ed0bbdc: attributes explicitly set by hooks should not be checked by security hooks Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4835 diff changeset	39	editedattrs = entity # XXX unexpected
2647 b0a2e779845c enable server side entity caching, 25% speedup on codenaf insertion. ALL CW TESTS OK Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 1977 diff changeset	40	for attr in editedattrs:
4999 221f76e14eea don't update dontcheck until everything went fine: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4970 diff changeset	41	if attr in dontcheck:
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	42	continue
3877 7ca53fc72a0a reldefsecurity branch : Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3689 diff changeset	43	rdef = eschema.rdef(attr)
7ca53fc72a0a reldefsecurity branch : Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3689 diff changeset	44	if rdef.final: # non final relation are checked by other hooks
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	45	# add/delete should be equivalent (XXX: unify them into 'update' ?)
4570 ede247bbbf62 follow yams api change: attributes permissions are now defined for Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4252 diff changeset	46	rdef.check_perm(session, 'update', eid=eid)
4999 221f76e14eea don't update dontcheck until everything went fine: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4970 diff changeset	47	# don't update dontcheck until everything went fine: see usage in
221f76e14eea don't update dontcheck until everything went fine: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4970 diff changeset	48	# after_update_entity, where if we got an Unauthorized at hook time, we will
221f76e14eea don't update dontcheck until everything went fine: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4970 diff changeset	49	# retry and commit time
221f76e14eea don't update dontcheck until everything went fine: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4970 diff changeset	50	dontcheck \|= frozenset(editedattrs)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	51
d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	52
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	53	class _CheckEntityPermissionOp(hook.LateOperation):
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	54	def precommit_event(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	55	#print 'CheckEntityPermissionOp', self.session.user, self.entity, self.action
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	56	self.entity.check_perm(self.action)
4577 049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	57	check_entity_attributes(self.session, self.entity, self.editedattrs)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	58
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	59	def commit_event(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	60	pass
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	61
d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	62
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	63	class _CheckRelationPermissionOp(hook.LateOperation):
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	64	def precommit_event(self):
3890 d7a270f50f54 backport stable branch (one more time painfully) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3877 3720 diff changeset	65	rdef = self.rschema.rdef(self.session.describe(self.eidfrom)[0],
d7a270f50f54 backport stable branch (one more time painfully) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3877 3720 diff changeset	66	self.session.describe(self.eidto)[0])
3877 7ca53fc72a0a reldefsecurity branch : Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3689 diff changeset	67	rdef.check_perm(self.session, self.action,
3890 d7a270f50f54 backport stable branch (one more time painfully) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3877 3720 diff changeset	68	fromeid=self.eidfrom, toeid=self.eidto)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	69
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	70	def commit_event(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	71	pass
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	72
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	73
4835 13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	74	@objectify_selector
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	75	@lltrace
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	76	def write_security_enabled(cls, req, **kwargs):
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	77	if req is None or not req.write_security:
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	78	return 0
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	79	return 1
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	80
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	81	class SecurityHook(hook.Hook):
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	82	__abstract__ = True
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	83	category = 'security'
4835 13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	84	__select__ = hook.Hook.__select__ & write_security_enabled()
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	85
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	86
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	87	class AfterAddEntitySecurityHook(SecurityHook):
3376 f5c69485381f [appobjects] use __regid__ instead of __id__, more explicit Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2968 diff changeset	88	__regid__ = 'securityafteraddentity'
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	89	events = ('after_add_entity',)
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	90
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	91	def __call__(self):
4577 049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	92	_CheckEntityPermissionOp(self._cw, entity=self.entity,
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	93	editedattrs=tuple(self.entity.edited_attributes),
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	94	action='add')
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	95
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	96
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	97	class AfterUpdateEntitySecurityHook(SecurityHook):
3376 f5c69485381f [appobjects] use __regid__ instead of __id__, more explicit Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2968 diff changeset	98	__regid__ = 'securityafterupdateentity'
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	99	events = ('after_update_entity',)
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	100
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	101	def __call__(self):
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	102	try:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	103	# check user has permission right now, if not retry at commit time
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	104	self.entity.check_perm('update')
2847 c2ee28f4d4b1 use ._cw instead of .cw_req Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2835 diff changeset	105	check_entity_attributes(self._cw, self.entity)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	106	except Unauthorized:
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	107	self.entity.clear_local_perm_cache('update')
4577 049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	108	# save back editedattrs in case the entity is reedited later in the
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	109	# same transaction, which will lead to edited_attributes being
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	110	# overwritten
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	111	_CheckEntityPermissionOp(self._cw, entity=self.entity,
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	112	editedattrs=tuple(self.entity.edited_attributes),
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	113	action='update')
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	114
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	115
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	116	class BeforeDelEntitySecurityHook(SecurityHook):
3376 f5c69485381f [appobjects] use __regid__ instead of __id__, more explicit Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2968 diff changeset	117	__regid__ = 'securitybeforedelentity'
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	118	events = ('before_delete_entity',)
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	119
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	120	def __call__(self):
2895 903bd3f89f80 should directly use entity.check_perm now that we've an entity instance Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2847 diff changeset	121	self.entity.check_perm('delete')
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	122
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	123
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	124	class BeforeAddRelationSecurityHook(SecurityHook):
3376 f5c69485381f [appobjects] use __regid__ instead of __id__, more explicit Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2968 diff changeset	125	__regid__ = 'securitybeforeaddrelation'
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	126	events = ('before_add_relation',)
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	127
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	128	def __call__(self):
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	129	if self.rtype in BEFORE_ADD_RELATIONS:
2968 0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 2895 diff changeset	130	nocheck = self._cw.transaction_data.get('skip-security', ())
0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 2895 diff changeset	131	if (self.eidfrom, self.rtype, self.eidto) in nocheck:
0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 2895 diff changeset	132	return
2847 c2ee28f4d4b1 use ._cw instead of .cw_req Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2835 diff changeset	133	rschema = self._cw.repo.schema[self.rtype]
3890 d7a270f50f54 backport stable branch (one more time painfully) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3877 3720 diff changeset	134	rdef = rschema.rdef(self._cw.describe(self.eidfrom)[0],
d7a270f50f54 backport stable branch (one more time painfully) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3877 3720 diff changeset	135	self._cw.describe(self.eidto)[0])
4190 742e3eb16f81 fix bad merge Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4048 diff changeset	136	rdef.check_perm(self._cw, 'add', fromeid=self.eidfrom, toeid=self.eidto)
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	137
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	138
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	139	class AfterAddRelationSecurityHook(SecurityHook):
3376 f5c69485381f [appobjects] use __regid__ instead of __id__, more explicit Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2968 diff changeset	140	__regid__ = 'securityafteraddrelation'
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	141	events = ('after_add_relation',)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	142
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	143	def __call__(self):
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	144	if not self.rtype in BEFORE_ADD_RELATIONS:
2968 0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 2895 diff changeset	145	nocheck = self._cw.transaction_data.get('skip-security', ())
0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 2895 diff changeset	146	if (self.eidfrom, self.rtype, self.eidto) in nocheck:
0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 2895 diff changeset	147	return
2847 c2ee28f4d4b1 use ._cw instead of .cw_req Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2835 diff changeset	148	rschema = self._cw.repo.schema[self.rtype]
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	149	if self.rtype in ON_COMMIT_ADD_RELATIONS:
2847 c2ee28f4d4b1 use ._cw instead of .cw_req Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2835 diff changeset	150	_CheckRelationPermissionOp(self._cw, action='add',
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	151	rschema=rschema,
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	152	eidfrom=self.eidfrom,
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	153	eidto=self.eidto)
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	154	else:
4003 b9436fe77c9e fix bad merge Sandrine Ribeau <sandrine.ribeau@logilab.fr> parents: 3890 diff changeset	155	rdef = rschema.rdef(self._cw.describe(self.eidfrom)[0],
b9436fe77c9e fix bad merge Sandrine Ribeau <sandrine.ribeau@logilab.fr> parents: 3890 diff changeset	156	self._cw.describe(self.eidto)[0])
b9436fe77c9e fix bad merge Sandrine Ribeau <sandrine.ribeau@logilab.fr> parents: 3890 diff changeset	157	rdef.check_perm(self._cw, 'add', fromeid=self.eidfrom, toeid=self.eidto)
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	158
4048 12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	159
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	160	class BeforeDeleteRelationSecurityHook(SecurityHook):
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	161	__regid__ = 'securitybeforedelrelation'
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	162	events = ('before_delete_relation',)
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	163
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	164	def __call__(self):
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	165	nocheck = self._cw.transaction_data.get('skip-security', ())
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	166	if (self.eidfrom, self.rtype, self.eidto) in nocheck:
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	167	return
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	168	rschema = self._cw.repo.schema[self.rtype]
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	169	rdef = rschema.rdef(self._cw.describe(self.eidfrom)[0],
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	170	self._cw.describe(self.eidto)[0])
4190 742e3eb16f81 fix bad merge Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4048 diff changeset	171	rdef.check_perm(self._cw, 'delete', fromeid=self.eidfrom, toeid=self.eidto)
4048 12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	172

author	Sylvain Thénault <sylvain.thenault@logilab.fr>
	Wed, 28 Apr 2010 10:06:01 +0200
branch	stable
changeset 5421	8167de96c523
parent 4999	221f76e14eea
child 5424	8ecbcbff9777
permissions	-rw-r--r--