cubicweb: hooks/security.py@bad26a22fe29 (annotated)

5421 8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	1	# copyright 2003-2010 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	2	# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	3	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	4	# This file is part of CubicWeb.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	5	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	6	# CubicWeb is free software: you can redistribute it and/or modify it under the
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	7	# terms of the GNU Lesser General Public License as published by the Free
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	8	# Software Foundation, either version 2.1 of the License, or (at your option)
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	9	# any later version.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	10	#
5424 8ecbcbff9777 replace logilab-common by CubicWeb in disclaimer Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5421 diff changeset	11	# CubicWeb is distributed in the hope that it will be useful, but WITHOUT
5421 8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	12	# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	13	# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	14	# details.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	15	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	16	# You should have received a copy of the GNU Lesser General Public License along
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4999 diff changeset	17	# with CubicWeb. If not, see <http://www.gnu.org/licenses/>.
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	18	"""Security hooks: check permissions to add/delete/update entities according to
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	19	the user connected to a session
5813 0b250d72fcfa [transaction w/ separated web/repo processes] the dbapi should explicitly specify a transaction id to avoid confusion when web server / repository run in separated processes Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5670 diff changeset	20	"""
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	21
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	22	__docformat__ = "restructuredtext en"
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	23
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	24	from cubicweb import Unauthorized
4835 13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	25	from cubicweb.selectors import objectify_selector, lltrace
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	26	from cubicweb.server import BEFORE_ADD_RELATIONS, ON_COMMIT_ADD_RELATIONS, hook
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	27
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	28
5670 80dc2135bf5f on entity creation, accept attributes without any update access Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5449 diff changeset	29	def check_entity_attributes(session, entity, editedattrs=None, creation=False):
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	30	eid = entity.eid
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	31	eschema = entity.e_schema
5557 1a534c596bff [entity] continue cleanup of Entity/AnyEntity namespace Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5449 diff changeset	32	# ._cw_skip_security_attributes is there to bypass security for attributes
4970 1f3d8946ea84 fix security issue introduced by 4967:04543ed0bbdc: attributes explicitly set by hooks should not be checked by security hooks Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4835 diff changeset	33	# set by hooks by modifying the entity's dictionnary
4577 049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	34	if editedattrs is None:
6142 8bc6eac1fac1 [session] cleanup hook / operation / entity edition api Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5849 diff changeset	35	editedattrs = entity.cw_edited
8bc6eac1fac1 [session] cleanup hook / operation / entity edition api Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5849 diff changeset	36	dontcheck = editedattrs.skip_security
2647 b0a2e779845c enable server side entity caching, 25% speedup on codenaf insertion. ALL CW TESTS OK Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 1977 diff changeset	37	for attr in editedattrs:
4999 221f76e14eea don't update dontcheck until everything went fine: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4970 diff changeset	38	if attr in dontcheck:
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	39	continue
3877 7ca53fc72a0a reldefsecurity branch : Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3689 diff changeset	40	rdef = eschema.rdef(attr)
7ca53fc72a0a reldefsecurity branch : Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3689 diff changeset	41	if rdef.final: # non final relation are checked by other hooks
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	42	# add/delete should be equivalent (XXX: unify them into 'update' ?)
5670 80dc2135bf5f on entity creation, accept attributes without any update access Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5449 diff changeset	43	if creation and not rdef.permissions.get('update'):
80dc2135bf5f on entity creation, accept attributes without any update access Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5449 diff changeset	44	continue
4570 ede247bbbf62 follow yams api change: attributes permissions are now defined for Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4252 diff changeset	45	rdef.check_perm(session, 'update', eid=eid)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	46
d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	47
6426 541659c39f6a [hook/operation] nicer api to achieve same result as set_operation, as described in #1253630 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6142 diff changeset	48	class CheckEntityPermissionOp(hook.DataOperationMixIn, hook.LateOperation):
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	49	def precommit_event(self):
5448 9bf648d678cd [hooks/operations] use set_operations for three ops (huge gains for massive imports) Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 5424 diff changeset	50	session = self.session
6426 541659c39f6a [hook/operation] nicer api to achieve same result as set_operation, as described in #1253630 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6142 diff changeset	51	for eid, action, edited in self.get_data():
6142 8bc6eac1fac1 [session] cleanup hook / operation / entity edition api Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5849 diff changeset	52	entity = session.entity_from_eid(eid)
5557 1a534c596bff [entity] continue cleanup of Entity/AnyEntity namespace Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5449 diff changeset	53	entity.cw_check_perm(action)
6142 8bc6eac1fac1 [session] cleanup hook / operation / entity edition api Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5849 diff changeset	54	check_entity_attributes(session, entity, edited,
6426 541659c39f6a [hook/operation] nicer api to achieve same result as set_operation, as described in #1253630 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6142 diff changeset	55	creation=(action == 'add'))
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	56
d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	57
6426 541659c39f6a [hook/operation] nicer api to achieve same result as set_operation, as described in #1253630 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6142 diff changeset	58	class CheckRelationPermissionOp(hook.DataOperationMixIn, hook.LateOperation):
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	59	def precommit_event(self):
5848 b5640328ffad [security] use set_operation for relation permission checking operation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5813 diff changeset	60	session = self.session
6426 541659c39f6a [hook/operation] nicer api to achieve same result as set_operation, as described in #1253630 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6142 diff changeset	61	for action, rschema, eidfrom, eidto in self.get_data():
5848 b5640328ffad [security] use set_operation for relation permission checking operation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5813 diff changeset	62	rdef = rschema.rdef(session.describe(eidfrom)[0],
b5640328ffad [security] use set_operation for relation permission checking operation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5813 diff changeset	63	session.describe(eidto)[0])
b5640328ffad [security] use set_operation for relation permission checking operation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5813 diff changeset	64	rdef.check_perm(session, action, fromeid=eidfrom, toeid=eidto)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	65
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	66
4835 13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	67	@objectify_selector
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	68	@lltrace
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	69	def write_security_enabled(cls, req, **kwargs):
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	70	if req is None or not req.write_security:
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	71	return 0
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	72	return 1
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	73
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	74	class SecurityHook(hook.Hook):
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	75	__abstract__ = True
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	76	category = 'security'
4835 13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	77	__select__ = hook.Hook.__select__ & write_security_enabled()
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	78
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	79
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	80	class AfterAddEntitySecurityHook(SecurityHook):
3376 f5c69485381f [appobjects] use __regid__ instead of __id__, more explicit Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2968 diff changeset	81	__regid__ = 'securityafteraddentity'
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	82	events = ('after_add_entity',)
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	83
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	84	def __call__(self):
6426 541659c39f6a [hook/operation] nicer api to achieve same result as set_operation, as described in #1253630 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6142 diff changeset	85	CheckEntityPermissionOp.get_instance(self._cw).add_data(
541659c39f6a [hook/operation] nicer api to achieve same result as set_operation, as described in #1253630 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6142 diff changeset	86	(self.entity.eid, 'add', self.entity.cw_edited) )
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	87
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	88
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	89	class AfterUpdateEntitySecurityHook(SecurityHook):
3376 f5c69485381f [appobjects] use __regid__ instead of __id__, more explicit Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2968 diff changeset	90	__regid__ = 'securityafterupdateentity'
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	91	events = ('after_update_entity',)
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	92
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	93	def __call__(self):
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	94	try:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	95	# check user has permission right now, if not retry at commit time
5557 1a534c596bff [entity] continue cleanup of Entity/AnyEntity namespace Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5449 diff changeset	96	self.entity.cw_check_perm('update')
2847 c2ee28f4d4b1 use ._cw instead of .cw_req Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2835 diff changeset	97	check_entity_attributes(self._cw, self.entity)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	98	except Unauthorized:
5557 1a534c596bff [entity] continue cleanup of Entity/AnyEntity namespace Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5449 diff changeset	99	self.entity._cw_clear_local_perm_cache('update')
4577 049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	100	# save back editedattrs in case the entity is reedited later in the
6142 8bc6eac1fac1 [session] cleanup hook / operation / entity edition api Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5849 diff changeset	101	# same transaction, which will lead to cw_edited being
4577 049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	102	# overwritten
6426 541659c39f6a [hook/operation] nicer api to achieve same result as set_operation, as described in #1253630 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6142 diff changeset	103	CheckEntityPermissionOp.get_instance(self._cw).add_data(
541659c39f6a [hook/operation] nicer api to achieve same result as set_operation, as described in #1253630 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6142 diff changeset	104	(self.entity.eid, 'update', self.entity.cw_edited) )
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	105
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	106
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	107	class BeforeDelEntitySecurityHook(SecurityHook):
3376 f5c69485381f [appobjects] use __regid__ instead of __id__, more explicit Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2968 diff changeset	108	__regid__ = 'securitybeforedelentity'
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	109	events = ('before_delete_entity',)
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	110
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	111	def __call__(self):
5557 1a534c596bff [entity] continue cleanup of Entity/AnyEntity namespace Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5449 diff changeset	112	self.entity.cw_check_perm('delete')
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	113
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	114
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	115	class BeforeAddRelationSecurityHook(SecurityHook):
3376 f5c69485381f [appobjects] use __regid__ instead of __id__, more explicit Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2968 diff changeset	116	__regid__ = 'securitybeforeaddrelation'
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	117	events = ('before_add_relation',)
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	118
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	119	def __call__(self):
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	120	if self.rtype in BEFORE_ADD_RELATIONS:
2968 0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 2895 diff changeset	121	nocheck = self._cw.transaction_data.get('skip-security', ())
0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 2895 diff changeset	122	if (self.eidfrom, self.rtype, self.eidto) in nocheck:
0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 2895 diff changeset	123	return
2847 c2ee28f4d4b1 use ._cw instead of .cw_req Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2835 diff changeset	124	rschema = self._cw.repo.schema[self.rtype]
3890 d7a270f50f54 backport stable branch (one more time painfully) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3877 3720 diff changeset	125	rdef = rschema.rdef(self._cw.describe(self.eidfrom)[0],
d7a270f50f54 backport stable branch (one more time painfully) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3877 3720 diff changeset	126	self._cw.describe(self.eidto)[0])
4190 742e3eb16f81 fix bad merge Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4048 diff changeset	127	rdef.check_perm(self._cw, 'add', fromeid=self.eidfrom, toeid=self.eidto)
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	128
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	129
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	130	class AfterAddRelationSecurityHook(SecurityHook):
3376 f5c69485381f [appobjects] use __regid__ instead of __id__, more explicit Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2968 diff changeset	131	__regid__ = 'securityafteraddrelation'
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	132	events = ('after_add_relation',)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	133
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	134	def __call__(self):
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	135	if not self.rtype in BEFORE_ADD_RELATIONS:
2968 0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 2895 diff changeset	136	nocheck = self._cw.transaction_data.get('skip-security', ())
0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 2895 diff changeset	137	if (self.eidfrom, self.rtype, self.eidto) in nocheck:
0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 2895 diff changeset	138	return
2847 c2ee28f4d4b1 use ._cw instead of .cw_req Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2835 diff changeset	139	rschema = self._cw.repo.schema[self.rtype]
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	140	if self.rtype in ON_COMMIT_ADD_RELATIONS:
6426 541659c39f6a [hook/operation] nicer api to achieve same result as set_operation, as described in #1253630 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6142 diff changeset	141	CheckRelationPermissionOp.get_instance(self._cw).add_data(
541659c39f6a [hook/operation] nicer api to achieve same result as set_operation, as described in #1253630 Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6142 diff changeset	142	('add', rschema, self.eidfrom, self.eidto) )
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	143	else:
4003 b9436fe77c9e fix bad merge Sandrine Ribeau <sandrine.ribeau@logilab.fr> parents: 3890 diff changeset	144	rdef = rschema.rdef(self._cw.describe(self.eidfrom)[0],
b9436fe77c9e fix bad merge Sandrine Ribeau <sandrine.ribeau@logilab.fr> parents: 3890 diff changeset	145	self._cw.describe(self.eidto)[0])
b9436fe77c9e fix bad merge Sandrine Ribeau <sandrine.ribeau@logilab.fr> parents: 3890 diff changeset	146	rdef.check_perm(self._cw, 'add', fromeid=self.eidfrom, toeid=self.eidto)
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	147
4048 12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	148
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	149	class BeforeDeleteRelationSecurityHook(SecurityHook):
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	150	__regid__ = 'securitybeforedelrelation'
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	151	events = ('before_delete_relation',)
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	152
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	153	def __call__(self):
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	154	nocheck = self._cw.transaction_data.get('skip-security', ())
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	155	if (self.eidfrom, self.rtype, self.eidto) in nocheck:
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	156	return
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	157	rschema = self._cw.repo.schema[self.rtype]
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	158	rdef = rschema.rdef(self._cw.describe(self.eidfrom)[0],
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	159	self._cw.describe(self.eidto)[0])
4190 742e3eb16f81 fix bad merge Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4048 diff changeset	160	rdef.check_perm(self._cw, 'delete', fromeid=self.eidfrom, toeid=self.eidto)
4048 12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	161

author	Aurelien Campeas <aurelien.campeas@logilab.fr>
	Tue, 07 Dec 2010 12:18:20 +0100
branch	oldstable
changeset 7078	bad26a22fe29
parent 6426	541659c39f6a
child 8190	2a3c1b787688
child 8238	087bb529035c
permissions	-rw-r--r--