[hooks/security] provide attribute "add" permission As of today, the update permission on attributes is checked at entity *creation* time. This forbids using update permissions the proper way. We set it to be checked at entity update time only. We introduce a specific 'add' permission rule for attributes. For backward compatibility, its default value will be the same as the current 'update' permission. Notes: * needs a new yams version (ticket #149216) * introduces two new 'add_permissions' rdefs (attribute - group|rqlexpr) * if the update permission was () and the bw compat kicks in, the rule is not enforced, to avoid un-creatable entity types -- this restriction will be lifted when the bw compat is gone * small internal refactoring on check_entity_attributes * one small pre 3.6.1 bw compat snippet must be removed from schemaserial Closes #2965518.

     1

from logilab.common.shellutils import generate_password

     2

from cubicweb.server.utils import crypt_password

     3

     4

for user in rql('CWUser U WHERE U cw_source S, S name "system", U upassword P, U login L').entities():

     5

    salt = user.upassword.getvalue()

     6

    if crypt_password('', salt) == salt:

     7

        passwd = generate_password()

     8

        print 'setting random password for user %s' % user.login

     9

        user.set_attributes(upassword=passwd)

    10

    11

commit()