schemas/__init__.py
author Sylvain Thénault <sylvain.thenault@logilab.fr>
Mon, 18 Jan 2010 11:50:34 +0100
branchstable
changeset 4246 c95b8c7e5fb2
parent 4243 2621de25d15a
child 4754 6bf17f810975
permissions -rw-r--r--
don't use matching_groups() for is_in_group implementation
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
4243
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
     1
"""some utilities to define schema permissions
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
     2
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
     3
:organization: Logilab
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
     4
:copyright: 2008 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
     5
:contact: http://www.logilab.fr/ -- mailto:contact@logilab.fr
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
     6
"""
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
     7
__docformat__ = "restructuredtext en"
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
     8
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
     9
from rql.utils import quote
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    10
from cubicweb.schema import ERQLExpression, RRQLExpression
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    11
2502
324ec2056d56 document
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2501
diff changeset
    12
# permissions for "meta" entity type (readable by anyone, can only be
324ec2056d56 document
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2501
diff changeset
    13
# added/deleted by managers)
2141
0072247db207 schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    14
META_ETYPE_PERMS = {
0072247db207 schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    15
    'read':   ('managers', 'users', 'guests',),
0072247db207 schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    16
    'add':    ('managers',),
0072247db207 schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    17
    'delete': ('managers',),
0072247db207 schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    18
    'update': ('managers', 'owners',),
0072247db207 schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    19
    }
0072247db207 schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    20
2502
324ec2056d56 document
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2501
diff changeset
    21
# permissions for "meta" relation type (readable by anyone, can only be
324ec2056d56 document
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2501
diff changeset
    22
# added/deleted by managers)
2141
0072247db207 schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    23
META_RTYPE_PERMS = {
0072247db207 schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    24
    'read':   ('managers', 'users', 'guests',),
0072247db207 schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    25
    'add':    ('managers',),
0072247db207 schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    26
    'delete': ('managers',),
0072247db207 schema should now be importable
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
diff changeset
    27
    }
2501
fa86d99c2c3a test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2141
diff changeset
    28
fa86d99c2c3a test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2141
diff changeset
    29
# permissions for relation type that should only set by hooks using unsafe
fa86d99c2c3a test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2141
diff changeset
    30
# execute, readable by anyone
fa86d99c2c3a test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2141
diff changeset
    31
HOOKS_RTYPE_PERMS = {
fa86d99c2c3a test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2141
diff changeset
    32
    'read':   ('managers', 'users', 'guests',),
fa86d99c2c3a test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2141
diff changeset
    33
    'add':    (),
fa86d99c2c3a test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2141
diff changeset
    34
    'delete': (),
fa86d99c2c3a test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2141
diff changeset
    35
    }
4243
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    36
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    37
def _perm(names):
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    38
    if isinstance(names, (list, tuple)):
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    39
        if len(names) == 1:
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    40
            names = quote(names[0])
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    41
        else:
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    42
            names = 'IN (%s)' % (','.join(quote(name) for name in names))
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    43
    else:
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    44
        names = quote(names)
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    45
    #return u' require_permission P, P name %s, U in_group G, P require_group G' % names
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    46
    return u' require_permission P, P name %s, U has_group_permission P' % names
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    47
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    48
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    49
def xperm(*names):
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    50
    return 'X' + _perm(names)
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    51
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    52
def xexpr(*names):
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    53
    return ERQLExpression(xperm(*names))
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    54
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    55
def xrexpr(relation, *names):
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    56
    return ERQLExpression('X %s Y, Y %s' % (relation, _perm(names)))
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    57
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    58
def xorexpr(relation, etype, *names):
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    59
    return ERQLExpression('Y %s X, X is %s, Y %s' % (relation, etype, _perm(names)))
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    60
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    61
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    62
def sexpr(*names):
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    63
    return RRQLExpression('S' + _perm(names), 'S')
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    64
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    65
def restricted_sexpr(restriction, *names):
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    66
    rql = '%s, %s' % (restriction, 'S' + _perm(names))
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    67
    return RRQLExpression(rql, 'S')
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    68
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    69
def restricted_oexpr(restriction, *names):
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    70
    rql = '%s, %s' % (restriction, 'O' + _perm(names))
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    71
    return RRQLExpression(rql, 'O')
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    72
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    73
def oexpr(*names):
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    74
    return RRQLExpression('O' + _perm(names), 'O')
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    75
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    76
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    77
# def supdate_perm():
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    78
#     return RRQLExpression('U has_update_permission S', 'S')
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    79
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    80
# def oupdate_perm():
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    81
#     return RRQLExpression('U has_update_permission O', 'O')
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    82
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    83
def relxperm(rel, role, *names):
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    84
    assert role in ('subject', 'object')
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    85
    if role == 'subject':
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    86
        zxrel = ', X %s Z' % rel
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    87
    else:
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    88
        zxrel = ', Z %s X' % rel
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    89
    return 'Z' + _perm(names) + zxrel
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    90
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    91
def relxexpr(rel, role, *names):
2621de25d15a backport tracker permission utility functions into the cw.schemas package
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 2502
diff changeset
    92
    return ERQLExpression(relxperm(rel, role, *names))