| author | Aurelien Campeas <aurelien.campeas@logilab.fr> |
| Fri, 30 Apr 2010 18:24:29 +0200 | |
| branch | stable |
| changeset 5449 | a7e1b316af03 |
| parent 5448 | 9bf648d678cd |
| child 5557 | 1a534c596bff |
| child 5670 | 80dc2135bf5f |
| permissions | -rw-r--r-- |
|
5421
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4999
diff
changeset
|
1 |
# copyright 2003-2010 LOGILAB S.A. (Paris, FRANCE), all rights reserved. |
|
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4999
diff
changeset
|
2 |
# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr |
|
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4999
diff
changeset
|
3 |
# |
|
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4999
diff
changeset
|
4 |
# This file is part of CubicWeb. |
|
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4999
diff
changeset
|
5 |
# |
|
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4999
diff
changeset
|
6 |
# CubicWeb is free software: you can redistribute it and/or modify it under the |
|
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4999
diff
changeset
|
7 |
# terms of the GNU Lesser General Public License as published by the Free |
|
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4999
diff
changeset
|
8 |
# Software Foundation, either version 2.1 of the License, or (at your option) |
|
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4999
diff
changeset
|
9 |
# any later version. |
|
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4999
diff
changeset
|
10 |
# |
|
5424
8ecbcbff9777
replace logilab-common by CubicWeb in disclaimer
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5421
diff
changeset
|
11 |
# CubicWeb is distributed in the hope that it will be useful, but WITHOUT |
|
5421
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4999
diff
changeset
|
12 |
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS |
|
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4999
diff
changeset
|
13 |
# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more |
|
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4999
diff
changeset
|
14 |
# details. |
|
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4999
diff
changeset
|
15 |
# |
|
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4999
diff
changeset
|
16 |
# You should have received a copy of the GNU Lesser General Public License along |
|
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4999
diff
changeset
|
17 |
# with CubicWeb. If not, see <http://www.gnu.org/licenses/>. |
| 0 | 18 |
"""Security hooks: check permissions to add/delete/update entities according to |
19 |
the user connected to a session |
|
20 |
||
21 |
""" |
|
22 |
__docformat__ = "restructuredtext en" |
|
23 |
||
24 |
from cubicweb import Unauthorized |
|
|
4835
13b0b96d7982
[repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4577
diff
changeset
|
25 |
from cubicweb.selectors import objectify_selector, lltrace |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
26 |
from cubicweb.server import BEFORE_ADD_RELATIONS, ON_COMMIT_ADD_RELATIONS, hook |
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
27 |
|
| 0 | 28 |
|
|
4577
049d92fc8614
[security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4570
diff
changeset
|
29 |
def check_entity_attributes(session, entity, editedattrs=None): |
| 0 | 30 |
eid = entity.eid |
31 |
eschema = entity.e_schema |
|
|
4970
1f3d8946ea84
fix security issue introduced by 4967:04543ed0bbdc: attributes explicitly set by hooks should not be checked by security hooks
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4835
diff
changeset
|
32 |
# .skip_security_attributes is there to bypass security for attributes |
|
1f3d8946ea84
fix security issue introduced by 4967:04543ed0bbdc: attributes explicitly set by hooks should not be checked by security hooks
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4835
diff
changeset
|
33 |
# set by hooks by modifying the entity's dictionnary |
|
1f3d8946ea84
fix security issue introduced by 4967:04543ed0bbdc: attributes explicitly set by hooks should not be checked by security hooks
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4835
diff
changeset
|
34 |
dontcheck = entity.skip_security_attributes |
|
4577
049d92fc8614
[security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4570
diff
changeset
|
35 |
if editedattrs is None: |
|
049d92fc8614
[security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4570
diff
changeset
|
36 |
try: |
|
049d92fc8614
[security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4570
diff
changeset
|
37 |
editedattrs = entity.edited_attributes |
|
049d92fc8614
[security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4570
diff
changeset
|
38 |
except AttributeError: |
|
4970
1f3d8946ea84
fix security issue introduced by 4967:04543ed0bbdc: attributes explicitly set by hooks should not be checked by security hooks
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4835
diff
changeset
|
39 |
editedattrs = entity # XXX unexpected |
|
2647
b0a2e779845c
enable server side entity caching, 25% speedup on codenaf insertion. ALL CW TESTS OK
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
1977
diff
changeset
|
40 |
for attr in editedattrs: |
|
4999
221f76e14eea
don't update dontcheck until everything went fine:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4970
diff
changeset
|
41 |
if attr in dontcheck: |
| 0 | 42 |
continue |
|
3877
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3689
diff
changeset
|
43 |
rdef = eschema.rdef(attr) |
|
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3689
diff
changeset
|
44 |
if rdef.final: # non final relation are checked by other hooks |
| 0 | 45 |
# add/delete should be equivalent (XXX: unify them into 'update' ?) |
|
4570
ede247bbbf62
follow yams api change: attributes permissions are now defined for
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4252
diff
changeset
|
46 |
rdef.check_perm(session, 'update', eid=eid) |
|
4999
221f76e14eea
don't update dontcheck until everything went fine:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4970
diff
changeset
|
47 |
# don't update dontcheck until everything went fine: see usage in |
|
221f76e14eea
don't update dontcheck until everything went fine:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4970
diff
changeset
|
48 |
# after_update_entity, where if we got an Unauthorized at hook time, we will |
|
221f76e14eea
don't update dontcheck until everything went fine:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4970
diff
changeset
|
49 |
# retry and commit time |
|
221f76e14eea
don't update dontcheck until everything went fine:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4970
diff
changeset
|
50 |
dontcheck |= frozenset(editedattrs) |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
51 |
|
|
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
52 |
|
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
53 |
class _CheckEntityPermissionOp(hook.LateOperation): |
| 0 | 54 |
def precommit_event(self): |
55 |
#print 'CheckEntityPermissionOp', self.session.user, self.entity, self.action |
|
|
5448
9bf648d678cd
[hooks/operations] use set_operations for three ops (huge gains for massive imports)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
5424
diff
changeset
|
56 |
session = self.session |
|
5449
a7e1b316af03
[hooks/...] fix previous commit
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
5448
diff
changeset
|
57 |
for values in session.transaction_data.pop('check_entity_perm_op'): |
|
5448
9bf648d678cd
[hooks/operations] use set_operations for three ops (huge gains for massive imports)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
5424
diff
changeset
|
58 |
entity = session.entity_from_eid(values[0]) |
|
9bf648d678cd
[hooks/operations] use set_operations for three ops (huge gains for massive imports)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
5424
diff
changeset
|
59 |
action = values[1] |
|
5449
a7e1b316af03
[hooks/...] fix previous commit
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
5448
diff
changeset
|
60 |
entity.check_perm(action) |
|
a7e1b316af03
[hooks/...] fix previous commit
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
5448
diff
changeset
|
61 |
check_entity_attributes(session, entity, values[2:]) |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
62 |
|
| 0 | 63 |
def commit_event(self): |
64 |
pass |
|
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
65 |
|
|
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
66 |
|
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
67 |
class _CheckRelationPermissionOp(hook.LateOperation): |
| 0 | 68 |
def precommit_event(self): |
|
3890
d7a270f50f54
backport stable branch (one more time painfully)
Sylvain Thénault <sylvain.thenault@logilab.fr>
diff
changeset
|
69 |
rdef = self.rschema.rdef(self.session.describe(self.eidfrom)[0], |
|
d7a270f50f54
backport stable branch (one more time painfully)
Sylvain Thénault <sylvain.thenault@logilab.fr>
diff
changeset
|
70 |
self.session.describe(self.eidto)[0]) |
|
3877
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3689
diff
changeset
|
71 |
rdef.check_perm(self.session, self.action, |
|
3890
d7a270f50f54
backport stable branch (one more time painfully)
Sylvain Thénault <sylvain.thenault@logilab.fr>
diff
changeset
|
72 |
fromeid=self.eidfrom, toeid=self.eidto) |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
73 |
|
| 0 | 74 |
def commit_event(self): |
75 |
pass |
|
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
76 |
|
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
77 |
|
|
4835
13b0b96d7982
[repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4577
diff
changeset
|
78 |
@objectify_selector |
|
13b0b96d7982
[repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4577
diff
changeset
|
79 |
@lltrace |
|
13b0b96d7982
[repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4577
diff
changeset
|
80 |
def write_security_enabled(cls, req, **kwargs): |
|
13b0b96d7982
[repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4577
diff
changeset
|
81 |
if req is None or not req.write_security: |
|
13b0b96d7982
[repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4577
diff
changeset
|
82 |
return 0 |
|
13b0b96d7982
[repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4577
diff
changeset
|
83 |
return 1 |
|
13b0b96d7982
[repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4577
diff
changeset
|
84 |
|
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
85 |
class SecurityHook(hook.Hook): |
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
86 |
__abstract__ = True |
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
87 |
category = 'security' |
|
4835
13b0b96d7982
[repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4577
diff
changeset
|
88 |
__select__ = hook.Hook.__select__ & write_security_enabled() |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
89 |
|
| 0 | 90 |
|
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
91 |
class AfterAddEntitySecurityHook(SecurityHook): |
|
3376
f5c69485381f
[appobjects] use __regid__ instead of __id__, more explicit
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2968
diff
changeset
|
92 |
__regid__ = 'securityafteraddentity' |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
93 |
events = ('after_add_entity',) |
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
94 |
|
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
95 |
def __call__(self): |
|
5448
9bf648d678cd
[hooks/operations] use set_operations for three ops (huge gains for massive imports)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
5424
diff
changeset
|
96 |
hook.set_operation(self._cw, 'check_entity_perm_op', |
|
9bf648d678cd
[hooks/operations] use set_operations for three ops (huge gains for massive imports)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
5424
diff
changeset
|
97 |
(self.entity.eid, 'add') + tuple(self.entity.edited_attributes), |
|
9bf648d678cd
[hooks/operations] use set_operations for three ops (huge gains for massive imports)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
5424
diff
changeset
|
98 |
_CheckEntityPermissionOp) |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
99 |
|
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
100 |
|
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
101 |
class AfterUpdateEntitySecurityHook(SecurityHook): |
|
3376
f5c69485381f
[appobjects] use __regid__ instead of __id__, more explicit
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2968
diff
changeset
|
102 |
__regid__ = 'securityafterupdateentity' |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
103 |
events = ('after_update_entity',) |
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
104 |
|
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
105 |
def __call__(self): |
| 0 | 106 |
try: |
107 |
# check user has permission right now, if not retry at commit time |
|
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
108 |
self.entity.check_perm('update') |
|
2847
c2ee28f4d4b1
use ._cw instead of .cw_req
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2835
diff
changeset
|
109 |
check_entity_attributes(self._cw, self.entity) |
| 0 | 110 |
except Unauthorized: |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
111 |
self.entity.clear_local_perm_cache('update') |
|
4577
049d92fc8614
[security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4570
diff
changeset
|
112 |
# save back editedattrs in case the entity is reedited later in the |
|
049d92fc8614
[security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4570
diff
changeset
|
113 |
# same transaction, which will lead to edited_attributes being |
|
049d92fc8614
[security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4570
diff
changeset
|
114 |
# overwritten |
|
5448
9bf648d678cd
[hooks/operations] use set_operations for three ops (huge gains for massive imports)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
5424
diff
changeset
|
115 |
hook.set_operation(self._cw, 'check_entity_perm_op', |
|
9bf648d678cd
[hooks/operations] use set_operations for three ops (huge gains for massive imports)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
5424
diff
changeset
|
116 |
(self.entity.eid, 'update') + tuple(self.entity.edited_attributes), |
|
9bf648d678cd
[hooks/operations] use set_operations for three ops (huge gains for massive imports)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
5424
diff
changeset
|
117 |
_CheckEntityPermissionOp) |
| 0 | 118 |
|
119 |
||
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
120 |
class BeforeDelEntitySecurityHook(SecurityHook): |
|
3376
f5c69485381f
[appobjects] use __regid__ instead of __id__, more explicit
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2968
diff
changeset
|
121 |
__regid__ = 'securitybeforedelentity' |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
122 |
events = ('before_delete_entity',) |
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
123 |
|
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
124 |
def __call__(self): |
|
2895
903bd3f89f80
should directly use entity.check_perm now that we've an entity instance
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2847
diff
changeset
|
125 |
self.entity.check_perm('delete') |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
126 |
|
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
479
diff
changeset
|
127 |
|
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
128 |
class BeforeAddRelationSecurityHook(SecurityHook): |
|
3376
f5c69485381f
[appobjects] use __regid__ instead of __id__, more explicit
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2968
diff
changeset
|
129 |
__regid__ = 'securitybeforeaddrelation' |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
130 |
events = ('before_add_relation',) |
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
131 |
|
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
132 |
def __call__(self): |
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
133 |
if self.rtype in BEFORE_ADD_RELATIONS: |
|
2968
0e3460341023
somewhat painful backport of 3.5 branch, should mostly be ok
Sylvain Thénault <sylvain.thenault@logilab.fr>
diff
changeset
|
134 |
nocheck = self._cw.transaction_data.get('skip-security', ()) |
|
0e3460341023
somewhat painful backport of 3.5 branch, should mostly be ok
Sylvain Thénault <sylvain.thenault@logilab.fr>
diff
changeset
|
135 |
if (self.eidfrom, self.rtype, self.eidto) in nocheck: |
|
0e3460341023
somewhat painful backport of 3.5 branch, should mostly be ok
Sylvain Thénault <sylvain.thenault@logilab.fr>
diff
changeset
|
136 |
return |
|
2847
c2ee28f4d4b1
use ._cw instead of .cw_req
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2835
diff
changeset
|
137 |
rschema = self._cw.repo.schema[self.rtype] |
|
3890
d7a270f50f54
backport stable branch (one more time painfully)
Sylvain Thénault <sylvain.thenault@logilab.fr>
diff
changeset
|
138 |
rdef = rschema.rdef(self._cw.describe(self.eidfrom)[0], |
|
d7a270f50f54
backport stable branch (one more time painfully)
Sylvain Thénault <sylvain.thenault@logilab.fr>
diff
changeset
|
139 |
self._cw.describe(self.eidto)[0]) |
|
4190
742e3eb16f81
fix bad merge
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4048
diff
changeset
|
140 |
rdef.check_perm(self._cw, 'add', fromeid=self.eidfrom, toeid=self.eidto) |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
141 |
|
| 0 | 142 |
|
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
143 |
class AfterAddRelationSecurityHook(SecurityHook): |
|
3376
f5c69485381f
[appobjects] use __regid__ instead of __id__, more explicit
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2968
diff
changeset
|
144 |
__regid__ = 'securityafteraddrelation' |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
145 |
events = ('after_add_relation',) |
| 0 | 146 |
|
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
147 |
def __call__(self): |
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
148 |
if not self.rtype in BEFORE_ADD_RELATIONS: |
|
2968
0e3460341023
somewhat painful backport of 3.5 branch, should mostly be ok
Sylvain Thénault <sylvain.thenault@logilab.fr>
diff
changeset
|
149 |
nocheck = self._cw.transaction_data.get('skip-security', ()) |
|
0e3460341023
somewhat painful backport of 3.5 branch, should mostly be ok
Sylvain Thénault <sylvain.thenault@logilab.fr>
diff
changeset
|
150 |
if (self.eidfrom, self.rtype, self.eidto) in nocheck: |
|
0e3460341023
somewhat painful backport of 3.5 branch, should mostly be ok
Sylvain Thénault <sylvain.thenault@logilab.fr>
diff
changeset
|
151 |
return |
|
2847
c2ee28f4d4b1
use ._cw instead of .cw_req
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2835
diff
changeset
|
152 |
rschema = self._cw.repo.schema[self.rtype] |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
153 |
if self.rtype in ON_COMMIT_ADD_RELATIONS: |
|
2847
c2ee28f4d4b1
use ._cw instead of .cw_req
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2835
diff
changeset
|
154 |
_CheckRelationPermissionOp(self._cw, action='add', |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
155 |
rschema=rschema, |
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
156 |
eidfrom=self.eidfrom, |
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
157 |
eidto=self.eidto) |
|
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
158 |
else: |
|
4003
b9436fe77c9e
fix bad merge
Sandrine Ribeau <sandrine.ribeau@logilab.fr>
parents:
3890
diff
changeset
|
159 |
rdef = rschema.rdef(self._cw.describe(self.eidfrom)[0], |
|
b9436fe77c9e
fix bad merge
Sandrine Ribeau <sandrine.ribeau@logilab.fr>
parents:
3890
diff
changeset
|
160 |
self._cw.describe(self.eidto)[0]) |
|
b9436fe77c9e
fix bad merge
Sandrine Ribeau <sandrine.ribeau@logilab.fr>
parents:
3890
diff
changeset
|
161 |
rdef.check_perm(self._cw, 'add', fromeid=self.eidfrom, toeid=self.eidto) |
|
2835
04034421b072
[hooks] major refactoring:
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2647
diff
changeset
|
162 |
|
|
4048
12c4f7e2bed6
had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4003
diff
changeset
|
163 |
|
|
12c4f7e2bed6
had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4003
diff
changeset
|
164 |
class BeforeDeleteRelationSecurityHook(SecurityHook): |
|
12c4f7e2bed6
had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4003
diff
changeset
|
165 |
__regid__ = 'securitybeforedelrelation' |
|
12c4f7e2bed6
had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4003
diff
changeset
|
166 |
events = ('before_delete_relation',) |
|
12c4f7e2bed6
had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4003
diff
changeset
|
167 |
|
|
12c4f7e2bed6
had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4003
diff
changeset
|
168 |
def __call__(self): |
|
12c4f7e2bed6
had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4003
diff
changeset
|
169 |
nocheck = self._cw.transaction_data.get('skip-security', ()) |
|
12c4f7e2bed6
had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4003
diff
changeset
|
170 |
if (self.eidfrom, self.rtype, self.eidto) in nocheck: |
|
12c4f7e2bed6
had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4003
diff
changeset
|
171 |
return |
|
12c4f7e2bed6
had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4003
diff
changeset
|
172 |
rschema = self._cw.repo.schema[self.rtype] |
|
12c4f7e2bed6
had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4003
diff
changeset
|
173 |
rdef = rschema.rdef(self._cw.describe(self.eidfrom)[0], |
|
12c4f7e2bed6
had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4003
diff
changeset
|
174 |
self._cw.describe(self.eidto)[0]) |
|
4190
742e3eb16f81
fix bad merge
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4048
diff
changeset
|
175 |
rdef.check_perm(self._cw, 'delete', fromeid=self.eidfrom, toeid=self.eidto) |
|
4048
12c4f7e2bed6
had been involontarly dropped
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4003
diff
changeset
|
176 |