hooks/security.py
author Sylvain Thénault <sylvain.thenault@logilab.fr>
Wed, 28 Apr 2010 12:15:52 +0200
brancholdstable
changeset 5424 8ecbcbff9777
parent 5421 8167de96c523
child 5448 9bf648d678cd
permissions -rw-r--r--
replace logilab-common by CubicWeb in disclaimer
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
5421
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4999
diff changeset
     1
# copyright 2003-2010 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4999
diff changeset
     2
# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4999
diff changeset
     3
#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4999
diff changeset
     4
# This file is part of CubicWeb.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4999
diff changeset
     5
#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4999
diff changeset
     6
# CubicWeb is free software: you can redistribute it and/or modify it under the
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4999
diff changeset
     7
# terms of the GNU Lesser General Public License as published by the Free
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4999
diff changeset
     8
# Software Foundation, either version 2.1 of the License, or (at your option)
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4999
diff changeset
     9
# any later version.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4999
diff changeset
    10
#
5424
8ecbcbff9777 replace logilab-common by CubicWeb in disclaimer
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 5421
diff changeset
    11
# CubicWeb is distributed in the hope that it will be useful, but WITHOUT
5421
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4999
diff changeset
    12
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4999
diff changeset
    13
# FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4999
diff changeset
    14
# details.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4999
diff changeset
    15
#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4999
diff changeset
    16
# You should have received a copy of the GNU Lesser General Public License along
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4999
diff changeset
    17
# with CubicWeb.  If not, see <http://www.gnu.org/licenses/>.
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    18
"""Security hooks: check permissions to add/delete/update entities according to
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    19
the user connected to a session
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    20
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    21
"""
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    22
__docformat__ = "restructuredtext en"
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    23
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    24
from cubicweb import Unauthorized
4835
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4577
diff changeset
    25
from cubicweb.selectors import objectify_selector, lltrace
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
    26
from cubicweb.server import BEFORE_ADD_RELATIONS, ON_COMMIT_ADD_RELATIONS, hook
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
    27
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    28
4577
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4570
diff changeset
    29
def check_entity_attributes(session, entity, editedattrs=None):
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    30
    eid = entity.eid
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    31
    eschema = entity.e_schema
4970
1f3d8946ea84 fix security issue introduced by 4967:04543ed0bbdc: attributes explicitly set by hooks should not be checked by security hooks
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4835
diff changeset
    32
    # .skip_security_attributes is there to bypass security for attributes
1f3d8946ea84 fix security issue introduced by 4967:04543ed0bbdc: attributes explicitly set by hooks should not be checked by security hooks
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4835
diff changeset
    33
    # set by hooks by modifying the entity's dictionnary
1f3d8946ea84 fix security issue introduced by 4967:04543ed0bbdc: attributes explicitly set by hooks should not be checked by security hooks
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4835
diff changeset
    34
    dontcheck = entity.skip_security_attributes
4577
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4570
diff changeset
    35
    if editedattrs is None:
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4570
diff changeset
    36
        try:
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4570
diff changeset
    37
            editedattrs = entity.edited_attributes
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4570
diff changeset
    38
        except AttributeError:
4970
1f3d8946ea84 fix security issue introduced by 4967:04543ed0bbdc: attributes explicitly set by hooks should not be checked by security hooks
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4835
diff changeset
    39
            editedattrs = entity # XXX unexpected
2647
b0a2e779845c enable server side entity caching, 25% speedup on codenaf insertion. ALL CW TESTS OK
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 1977
diff changeset
    40
    for attr in editedattrs:
4999
221f76e14eea don't update dontcheck until everything went fine:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4970
diff changeset
    41
        if attr in dontcheck:
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    42
            continue
3877
7ca53fc72a0a reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3689
diff changeset
    43
        rdef = eschema.rdef(attr)
7ca53fc72a0a reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3689
diff changeset
    44
        if rdef.final: # non final relation are checked by other hooks
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    45
            # add/delete should be equivalent (XXX: unify them into 'update' ?)
4570
ede247bbbf62 follow yams api change: attributes permissions are now defined for
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4252
diff changeset
    46
            rdef.check_perm(session, 'update', eid=eid)
4999
221f76e14eea don't update dontcheck until everything went fine:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4970
diff changeset
    47
    # don't update dontcheck until everything went fine: see usage in
221f76e14eea don't update dontcheck until everything went fine:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4970
diff changeset
    48
    # after_update_entity, where if we got an Unauthorized at hook time, we will
221f76e14eea don't update dontcheck until everything went fine:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4970
diff changeset
    49
    # retry and commit time
221f76e14eea don't update dontcheck until everything went fine:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4970
diff changeset
    50
    dontcheck |= frozenset(editedattrs)
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 479
diff changeset
    51
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 479
diff changeset
    52
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
    53
class _CheckEntityPermissionOp(hook.LateOperation):
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    54
    def precommit_event(self):
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    55
        #print 'CheckEntityPermissionOp', self.session.user, self.entity, self.action
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    56
        self.entity.check_perm(self.action)
4577
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4570
diff changeset
    57
        check_entity_attributes(self.session, self.entity, self.editedattrs)
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 479
diff changeset
    58
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    59
    def commit_event(self):
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    60
        pass
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 479
diff changeset
    61
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 479
diff changeset
    62
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
    63
class _CheckRelationPermissionOp(hook.LateOperation):
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    64
    def precommit_event(self):
3890
d7a270f50f54 backport stable branch (one more time painfully)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3877 3720
diff changeset
    65
        rdef = self.rschema.rdef(self.session.describe(self.eidfrom)[0],
d7a270f50f54 backport stable branch (one more time painfully)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3877 3720
diff changeset
    66
                                 self.session.describe(self.eidto)[0])
3877
7ca53fc72a0a reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3689
diff changeset
    67
        rdef.check_perm(self.session, self.action,
3890
d7a270f50f54 backport stable branch (one more time painfully)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3877 3720
diff changeset
    68
                        fromeid=self.eidfrom, toeid=self.eidto)
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 479
diff changeset
    69
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    70
    def commit_event(self):
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    71
        pass
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 479
diff changeset
    72
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
    73
4835
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4577
diff changeset
    74
@objectify_selector
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4577
diff changeset
    75
@lltrace
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4577
diff changeset
    76
def write_security_enabled(cls, req, **kwargs):
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4577
diff changeset
    77
    if req is None or not req.write_security:
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4577
diff changeset
    78
        return 0
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4577
diff changeset
    79
    return 1
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4577
diff changeset
    80
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
    81
class SecurityHook(hook.Hook):
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
    82
    __abstract__ = True
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
    83
    category = 'security'
4835
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4577
diff changeset
    84
    __select__ = hook.Hook.__select__ & write_security_enabled()
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
    85
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
    86
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
    87
class AfterAddEntitySecurityHook(SecurityHook):
3376
f5c69485381f [appobjects] use __regid__ instead of __id__, more explicit
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2968
diff changeset
    88
    __regid__ = 'securityafteraddentity'
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
    89
    events = ('after_add_entity',)
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
    90
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
    91
    def __call__(self):
4577
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4570
diff changeset
    92
        _CheckEntityPermissionOp(self._cw, entity=self.entity,
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4570
diff changeset
    93
                                 editedattrs=tuple(self.entity.edited_attributes),
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4570
diff changeset
    94
                                 action='add')
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
    95
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
    96
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
    97
class AfterUpdateEntitySecurityHook(SecurityHook):
3376
f5c69485381f [appobjects] use __regid__ instead of __id__, more explicit
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2968
diff changeset
    98
    __regid__ = 'securityafterupdateentity'
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
    99
    events = ('after_update_entity',)
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   100
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   101
    def __call__(self):
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   102
        try:
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   103
            # check user has permission right now, if not retry at commit time
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   104
            self.entity.check_perm('update')
2847
c2ee28f4d4b1 use ._cw instead of .cw_req
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2835
diff changeset
   105
            check_entity_attributes(self._cw, self.entity)
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   106
        except Unauthorized:
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   107
            self.entity.clear_local_perm_cache('update')
4577
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4570
diff changeset
   108
            # save back editedattrs in case the entity is reedited later in the
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4570
diff changeset
   109
            # same transaction, which will lead to edited_attributes being
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4570
diff changeset
   110
            # overwritten
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4570
diff changeset
   111
            _CheckEntityPermissionOp(self._cw, entity=self.entity,
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4570
diff changeset
   112
                                     editedattrs=tuple(self.entity.edited_attributes),
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4570
diff changeset
   113
                                     action='update')
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   114
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   115
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   116
class BeforeDelEntitySecurityHook(SecurityHook):
3376
f5c69485381f [appobjects] use __regid__ instead of __id__, more explicit
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2968
diff changeset
   117
    __regid__ = 'securitybeforedelentity'
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   118
    events = ('before_delete_entity',)
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   119
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   120
    def __call__(self):
2895
903bd3f89f80 should directly use entity.check_perm now that we've an entity instance
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2847
diff changeset
   121
        self.entity.check_perm('delete')
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   122
1802
d628defebc17 delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents: 479
diff changeset
   123
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   124
class BeforeAddRelationSecurityHook(SecurityHook):
3376
f5c69485381f [appobjects] use __regid__ instead of __id__, more explicit
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2968
diff changeset
   125
    __regid__ = 'securitybeforeaddrelation'
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   126
    events = ('before_add_relation',)
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   127
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   128
    def __call__(self):
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   129
        if self.rtype in BEFORE_ADD_RELATIONS:
2968
0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2920 2895
diff changeset
   130
            nocheck = self._cw.transaction_data.get('skip-security', ())
0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2920 2895
diff changeset
   131
            if (self.eidfrom, self.rtype, self.eidto) in nocheck:
0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2920 2895
diff changeset
   132
                return
2847
c2ee28f4d4b1 use ._cw instead of .cw_req
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2835
diff changeset
   133
            rschema = self._cw.repo.schema[self.rtype]
3890
d7a270f50f54 backport stable branch (one more time painfully)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3877 3720
diff changeset
   134
            rdef = rschema.rdef(self._cw.describe(self.eidfrom)[0],
d7a270f50f54 backport stable branch (one more time painfully)
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 3877 3720
diff changeset
   135
                                self._cw.describe(self.eidto)[0])
4190
742e3eb16f81 fix bad merge
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4048
diff changeset
   136
            rdef.check_perm(self._cw, 'add', fromeid=self.eidfrom, toeid=self.eidto)
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   137
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   138
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   139
class AfterAddRelationSecurityHook(SecurityHook):
3376
f5c69485381f [appobjects] use __regid__ instead of __id__, more explicit
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2968
diff changeset
   140
    __regid__ = 'securityafteraddrelation'
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   141
    events = ('after_add_relation',)
0
b97547f5f1fa Showtime !
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
diff changeset
   142
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   143
    def __call__(self):
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   144
        if not self.rtype in BEFORE_ADD_RELATIONS:
2968
0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2920 2895
diff changeset
   145
            nocheck = self._cw.transaction_data.get('skip-security', ())
0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2920 2895
diff changeset
   146
            if (self.eidfrom, self.rtype, self.eidto) in nocheck:
0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2920 2895
diff changeset
   147
                return
2847
c2ee28f4d4b1 use ._cw instead of .cw_req
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2835
diff changeset
   148
            rschema = self._cw.repo.schema[self.rtype]
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   149
            if self.rtype in ON_COMMIT_ADD_RELATIONS:
2847
c2ee28f4d4b1 use ._cw instead of .cw_req
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2835
diff changeset
   150
                _CheckRelationPermissionOp(self._cw, action='add',
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   151
                                           rschema=rschema,
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   152
                                           eidfrom=self.eidfrom,
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   153
                                           eidto=self.eidto)
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   154
            else:
4003
b9436fe77c9e fix bad merge
Sandrine Ribeau <sandrine.ribeau@logilab.fr>
parents: 3890
diff changeset
   155
                rdef = rschema.rdef(self._cw.describe(self.eidfrom)[0],
b9436fe77c9e fix bad merge
Sandrine Ribeau <sandrine.ribeau@logilab.fr>
parents: 3890
diff changeset
   156
                                    self._cw.describe(self.eidto)[0])
b9436fe77c9e fix bad merge
Sandrine Ribeau <sandrine.ribeau@logilab.fr>
parents: 3890
diff changeset
   157
                rdef.check_perm(self._cw, 'add', fromeid=self.eidfrom, toeid=self.eidto)
2835
04034421b072 [hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2647
diff changeset
   158
4048
12c4f7e2bed6 had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4003
diff changeset
   159
12c4f7e2bed6 had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4003
diff changeset
   160
class BeforeDeleteRelationSecurityHook(SecurityHook):
12c4f7e2bed6 had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4003
diff changeset
   161
    __regid__ = 'securitybeforedelrelation'
12c4f7e2bed6 had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4003
diff changeset
   162
    events = ('before_delete_relation',)
12c4f7e2bed6 had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4003
diff changeset
   163
12c4f7e2bed6 had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4003
diff changeset
   164
    def __call__(self):
12c4f7e2bed6 had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4003
diff changeset
   165
        nocheck = self._cw.transaction_data.get('skip-security', ())
12c4f7e2bed6 had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4003
diff changeset
   166
        if (self.eidfrom, self.rtype, self.eidto) in nocheck:
12c4f7e2bed6 had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4003
diff changeset
   167
            return
12c4f7e2bed6 had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4003
diff changeset
   168
        rschema = self._cw.repo.schema[self.rtype]
12c4f7e2bed6 had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4003
diff changeset
   169
        rdef = rschema.rdef(self._cw.describe(self.eidfrom)[0],
12c4f7e2bed6 had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4003
diff changeset
   170
                            self._cw.describe(self.eidto)[0])
4190
742e3eb16f81 fix bad merge
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4048
diff changeset
   171
        rdef.check_perm(self._cw, 'delete', fromeid=self.eidfrom, toeid=self.eidto)
4048
12c4f7e2bed6 had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4003
diff changeset
   172