author | Sylvain Thénault <sylvain.thenault@logilab.fr> |
Thu, 29 Sep 2011 13:53:34 +0200 | |
branch | stable |
changeset 7886 | b1c913a6d9f0 |
parent 7782 | 40a49f4350a5 |
child 7797 | a71618a75b53 |
permissions | -rw-r--r-- |
7782
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
1 |
# copyright 2003-2010 LOGILAB S.A. (Paris, FRANCE), all rights reserved. |
5421
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4759
diff
changeset
|
2 |
# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4759
diff
changeset
|
3 |
# |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4759
diff
changeset
|
4 |
# This file is part of CubicWeb. |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4759
diff
changeset
|
5 |
# |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4759
diff
changeset
|
6 |
# CubicWeb is free software: you can redistribute it and/or modify it under the |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4759
diff
changeset
|
7 |
# terms of the GNU Lesser General Public License as published by the Free |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4759
diff
changeset
|
8 |
# Software Foundation, either version 2.1 of the License, or (at your option) |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4759
diff
changeset
|
9 |
# any later version. |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4759
diff
changeset
|
10 |
# |
5424
8ecbcbff9777
replace logilab-common by CubicWeb in disclaimer
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5421
diff
changeset
|
11 |
# CubicWeb is distributed in the hope that it will be useful, but WITHOUT |
5421
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4759
diff
changeset
|
12 |
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4759
diff
changeset
|
13 |
# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4759
diff
changeset
|
14 |
# details. |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4759
diff
changeset
|
15 |
# |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4759
diff
changeset
|
16 |
# You should have received a copy of the GNU Lesser General Public License along |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4759
diff
changeset
|
17 |
# with CubicWeb. If not, see <http://www.gnu.org/licenses/>. |
7782
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
18 |
"""some utilities to define schema permissions |
4243
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
19 |
|
7782
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
20 |
""" |
4243
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
21 |
__docformat__ = "restructuredtext en" |
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
22 |
|
7782
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
23 |
from rql.utils import quote |
4754
6bf17f810975
[schema] new constants for permissions definitions
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4243
diff
changeset
|
24 |
from cubicweb.schema import RO_REL_PERMS, RO_ATTR_PERMS, \ |
6bf17f810975
[schema] new constants for permissions definitions
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4243
diff
changeset
|
25 |
PUB_SYSTEM_ENTITY_PERMS, PUB_SYSTEM_REL_PERMS, \ |
6bf17f810975
[schema] new constants for permissions definitions
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4243
diff
changeset
|
26 |
ERQLExpression, RRQLExpression |
4243
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
27 |
|
2502 | 28 |
# permissions for "meta" entity type (readable by anyone, can only be |
29 |
# added/deleted by managers) |
|
4754
6bf17f810975
[schema] new constants for permissions definitions
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4243
diff
changeset
|
30 |
META_ETYPE_PERMS = PUB_SYSTEM_ENTITY_PERMS # XXX deprecates |
2502 | 31 |
# permissions for "meta" relation type (readable by anyone, can only be |
32 |
# added/deleted by managers) |
|
4754
6bf17f810975
[schema] new constants for permissions definitions
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4243
diff
changeset
|
33 |
META_RTYPE_PERMS = PUB_SYSTEM_REL_PERMS # XXX deprecates |
2501
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2141
diff
changeset
|
34 |
# permissions for relation type that should only set by hooks using unsafe |
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2141
diff
changeset
|
35 |
# execute, readable by anyone |
4754
6bf17f810975
[schema] new constants for permissions definitions
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4243
diff
changeset
|
36 |
HOOKS_RTYPE_PERMS = RO_REL_PERMS # XXX deprecates |
4243
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
37 |
|
7782
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
38 |
def _perm(names): |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
39 |
if isinstance(names, (list, tuple)): |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
40 |
if len(names) == 1: |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
41 |
names = quote(names[0]) |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
42 |
else: |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
43 |
names = 'IN (%s)' % (','.join(quote(name) for name in names)) |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
44 |
else: |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
45 |
names = quote(names) |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
46 |
#return u' require_permission P, P name %s, U in_group G, P require_group G' % names |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
47 |
return u' require_permission P, P name %s, U has_group_permission P' % names |
4243
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
48 |
|
7782
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
49 |
|
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
50 |
def xperm(*names): |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
51 |
return 'X' + _perm(names) |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
52 |
|
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
53 |
def xexpr(*names): |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
54 |
return ERQLExpression(xperm(*names)) |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
55 |
|
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
56 |
def xrexpr(relation, *names): |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
57 |
return ERQLExpression('X %s Y, Y %s' % (relation, _perm(names))) |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
58 |
|
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
59 |
def xorexpr(relation, etype, *names): |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
60 |
return ERQLExpression('Y %s X, X is %s, Y %s' % (relation, etype, _perm(names))) |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
61 |
|
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
62 |
|
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
63 |
def sexpr(*names): |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
64 |
return RRQLExpression('S' + _perm(names), 'S') |
4243
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
65 |
|
7782
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
66 |
def restricted_sexpr(restriction, *names): |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
67 |
rql = '%s, %s' % (restriction, 'S' + _perm(names)) |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
68 |
return RRQLExpression(rql, 'S') |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
69 |
|
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
70 |
def restricted_oexpr(restriction, *names): |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
71 |
rql = '%s, %s' % (restriction, 'O' + _perm(names)) |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
72 |
return RRQLExpression(rql, 'O') |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
73 |
|
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
74 |
def oexpr(*names): |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
75 |
return RRQLExpression('O' + _perm(names), 'O') |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
76 |
|
4243
2621de25d15a
backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2502
diff
changeset
|
77 |
|
7782
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
78 |
# def supdate_perm(): |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
79 |
# return RRQLExpression('U has_update_permission S', 'S') |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
80 |
|
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
81 |
# def oupdate_perm(): |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
82 |
# return RRQLExpression('U has_update_permission O', 'O') |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
83 |
|
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
84 |
def relxperm(rel, role, *names): |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
85 |
assert role in ('subject', 'object') |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
86 |
if role == 'subject': |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
87 |
zxrel = ', X %s Z' % rel |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
88 |
else: |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
89 |
zxrel = ', Z %s X' % rel |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
90 |
return 'Z' + _perm(names) + zxrel |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
91 |
|
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
92 |
def relxexpr(rel, role, *names): |
40a49f4350a5
backout 7780:a1d5365fefc1
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7780
diff
changeset
|
93 |
return ERQLExpression(relxperm(rel, role, *names)) |