cubicweb: hooks/security.py@d9e8af8a7a42 (annotated)

0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	1	"""Security hooks: check permissions to add/delete/update entities according to
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	2	the user connected to a session
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	3
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	4	:organization: Logilab
4212 ab6573088b4a update copyright: welcome 2010 Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 3689 diff changeset	5	:copyright: 2001-2010 LOGILAB S.A. (Paris, FRANCE), license is LGPL v2.
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	6	:contact: http://www.logilab.fr/ -- mailto:contact@logilab.fr
1977 606923dff11b big bunch of copyright / docstring update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1802 diff changeset	7	:license: GNU Lesser General Public License, v2.1 - http://www.gnu.org/licenses
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	8	"""
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	9	__docformat__ = "restructuredtext en"
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	10
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	11	from cubicweb import Unauthorized
4835 13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	12	from cubicweb.selectors import objectify_selector, lltrace
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	13	from cubicweb.server import BEFORE_ADD_RELATIONS, ON_COMMIT_ADD_RELATIONS, hook
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	14
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	15
4577 049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	16	def check_entity_attributes(session, entity, editedattrs=None):
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	17	eid = entity.eid
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	18	eschema = entity.e_schema
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	19	# ._default_set is only there on entity creation to indicate unspecified
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	20	# attributes which has been set to a default value defined in the schema
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	21	defaults = getattr(entity, '_default_set', ())
4577 049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	22	if editedattrs is None:
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	23	try:
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	24	editedattrs = entity.edited_attributes
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	25	except AttributeError:
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	26	editedattrs = entity
2647 b0a2e779845c enable server side entity caching, 25% speedup on codenaf insertion. ALL CW TESTS OK Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 1977 diff changeset	27	for attr in editedattrs:
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	28	if attr in defaults:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	29	continue
3877 7ca53fc72a0a reldefsecurity branch : Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3689 diff changeset	30	rdef = eschema.rdef(attr)
7ca53fc72a0a reldefsecurity branch : Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3689 diff changeset	31	if rdef.final: # non final relation are checked by other hooks
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	32	# add/delete should be equivalent (XXX: unify them into 'update' ?)
4570 ede247bbbf62 follow yams api change: attributes permissions are now defined for Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4252 diff changeset	33	rdef.check_perm(session, 'update', eid=eid)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	34
d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	35
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	36	class _CheckEntityPermissionOp(hook.LateOperation):
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	37	def precommit_event(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	38	#print 'CheckEntityPermissionOp', self.session.user, self.entity, self.action
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	39	self.entity.check_perm(self.action)
4577 049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	40	check_entity_attributes(self.session, self.entity, self.editedattrs)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	41
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	42	def commit_event(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	43	pass
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	44
d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	45
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	46	class _CheckRelationPermissionOp(hook.LateOperation):
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	47	def precommit_event(self):
3890 d7a270f50f54 backport stable branch (one more time painfully) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3877 3720 diff changeset	48	rdef = self.rschema.rdef(self.session.describe(self.eidfrom)[0],
d7a270f50f54 backport stable branch (one more time painfully) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3877 3720 diff changeset	49	self.session.describe(self.eidto)[0])
3877 7ca53fc72a0a reldefsecurity branch : Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3689 diff changeset	50	rdef.check_perm(self.session, self.action,
3890 d7a270f50f54 backport stable branch (one more time painfully) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3877 3720 diff changeset	51	fromeid=self.eidfrom, toeid=self.eidto)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	52
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	53	def commit_event(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	54	pass
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	55
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	56
4835 13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	57	@objectify_selector
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	58	@lltrace
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	59	def write_security_enabled(cls, req, **kwargs):
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	60	if req is None or not req.write_security:
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	61	return 0
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	62	return 1
13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	63
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	64	class SecurityHook(hook.Hook):
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	65	__abstract__ = True
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	66	category = 'security'
4835 13b0b96d7982 [repo] enhanced security handling: deprecates unsafe_execute, in favor of explicit read/write security control using the `enabled_security` context manager. Also code executed on the repository side is now unsafe by default. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4577 diff changeset	67	__select__ = hook.Hook.__select__ & write_security_enabled()
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	68
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	69
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	70	class AfterAddEntitySecurityHook(SecurityHook):
3376 f5c69485381f [appobjects] use __regid__ instead of __id__, more explicit Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2968 diff changeset	71	__regid__ = 'securityafteraddentity'
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	72	events = ('after_add_entity',)
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	73
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	74	def __call__(self):
4577 049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	75	_CheckEntityPermissionOp(self._cw, entity=self.entity,
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	76	editedattrs=tuple(self.entity.edited_attributes),
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	77	action='add')
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	78
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	79
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	80	class AfterUpdateEntitySecurityHook(SecurityHook):
3376 f5c69485381f [appobjects] use __regid__ instead of __id__, more explicit Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2968 diff changeset	81	__regid__ = 'securityafterupdateentity'
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	82	events = ('after_update_entity',)
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	83
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	84	def __call__(self):
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	85	try:
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	86	# check user has permission right now, if not retry at commit time
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	87	self.entity.check_perm('update')
2847 c2ee28f4d4b1 use ._cw instead of .cw_req Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2835 diff changeset	88	check_entity_attributes(self._cw, self.entity)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	89	except Unauthorized:
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	90	self.entity.clear_local_perm_cache('update')
4577 049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	91	# save back editedattrs in case the entity is reedited later in the
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	92	# same transaction, which will lead to edited_attributes being
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	93	# overwritten
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	94	_CheckEntityPermissionOp(self._cw, entity=self.entity,
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	95	editedattrs=tuple(self.entity.edited_attributes),
049d92fc8614 [security] we should save back edited_attributes in case of multiple modification of an entity during the same transaction Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4570 diff changeset	96	action='update')
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	97
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	98
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	99	class BeforeDelEntitySecurityHook(SecurityHook):
3376 f5c69485381f [appobjects] use __regid__ instead of __id__, more explicit Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2968 diff changeset	100	__regid__ = 'securitybeforedelentity'
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	101	events = ('before_delete_entity',)
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	102
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	103	def __call__(self):
2895 903bd3f89f80 should directly use entity.check_perm now that we've an entity instance Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2847 diff changeset	104	self.entity.check_perm('delete')
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	105
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 479 diff changeset	106
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	107	class BeforeAddRelationSecurityHook(SecurityHook):
3376 f5c69485381f [appobjects] use __regid__ instead of __id__, more explicit Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2968 diff changeset	108	__regid__ = 'securitybeforeaddrelation'
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	109	events = ('before_add_relation',)
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	110
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	111	def __call__(self):
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	112	if self.rtype in BEFORE_ADD_RELATIONS:
2968 0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 2895 diff changeset	113	nocheck = self._cw.transaction_data.get('skip-security', ())
0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 2895 diff changeset	114	if (self.eidfrom, self.rtype, self.eidto) in nocheck:
0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 2895 diff changeset	115	return
2847 c2ee28f4d4b1 use ._cw instead of .cw_req Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2835 diff changeset	116	rschema = self._cw.repo.schema[self.rtype]
3890 d7a270f50f54 backport stable branch (one more time painfully) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3877 3720 diff changeset	117	rdef = rschema.rdef(self._cw.describe(self.eidfrom)[0],
d7a270f50f54 backport stable branch (one more time painfully) Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 3877 3720 diff changeset	118	self._cw.describe(self.eidto)[0])
4190 742e3eb16f81 fix bad merge Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4048 diff changeset	119	rdef.check_perm(self._cw, 'add', fromeid=self.eidfrom, toeid=self.eidto)
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	120
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	121
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	122	class AfterAddRelationSecurityHook(SecurityHook):
3376 f5c69485381f [appobjects] use __regid__ instead of __id__, more explicit Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2968 diff changeset	123	__regid__ = 'securityafteraddrelation'
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	124	events = ('after_add_relation',)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	125
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	126	def __call__(self):
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	127	if not self.rtype in BEFORE_ADD_RELATIONS:
2968 0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 2895 diff changeset	128	nocheck = self._cw.transaction_data.get('skip-security', ())
0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 2895 diff changeset	129	if (self.eidfrom, self.rtype, self.eidto) in nocheck:
0e3460341023 somewhat painful backport of 3.5 branch, should mostly be ok Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 2895 diff changeset	130	return
2847 c2ee28f4d4b1 use ._cw instead of .cw_req Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2835 diff changeset	131	rschema = self._cw.repo.schema[self.rtype]
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	132	if self.rtype in ON_COMMIT_ADD_RELATIONS:
2847 c2ee28f4d4b1 use ._cw instead of .cw_req Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2835 diff changeset	133	_CheckRelationPermissionOp(self._cw, action='add',
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	134	rschema=rschema,
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	135	eidfrom=self.eidfrom,
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	136	eidto=self.eidto)
04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	137	else:
4003 b9436fe77c9e fix bad merge Sandrine Ribeau <sandrine.ribeau@logilab.fr> parents: 3890 diff changeset	138	rdef = rschema.rdef(self._cw.describe(self.eidfrom)[0],
b9436fe77c9e fix bad merge Sandrine Ribeau <sandrine.ribeau@logilab.fr> parents: 3890 diff changeset	139	self._cw.describe(self.eidto)[0])
b9436fe77c9e fix bad merge Sandrine Ribeau <sandrine.ribeau@logilab.fr> parents: 3890 diff changeset	140	rdef.check_perm(self._cw, 'add', fromeid=self.eidfrom, toeid=self.eidto)
2835 04034421b072 [hooks] major refactoring: Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2647 diff changeset	141
4048 12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	142
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	143	class BeforeDeleteRelationSecurityHook(SecurityHook):
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	144	__regid__ = 'securitybeforedelrelation'
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	145	events = ('before_delete_relation',)
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	146
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	147	def __call__(self):
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	148	nocheck = self._cw.transaction_data.get('skip-security', ())
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	149	if (self.eidfrom, self.rtype, self.eidto) in nocheck:
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	150	return
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	151	rschema = self._cw.repo.schema[self.rtype]
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	152	rdef = rschema.rdef(self._cw.describe(self.eidfrom)[0],
12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	153	self._cw.describe(self.eidto)[0])
4190 742e3eb16f81 fix bad merge Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4048 diff changeset	154	rdef.check_perm(self._cw, 'delete', fromeid=self.eidfrom, toeid=self.eidto)
4048 12c4f7e2bed6 had been involontarly dropped Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4003 diff changeset	155

author	Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
	Fri, 19 Mar 2010 19:21:31 +0100
changeset 4964	d9e8af8a7a42
parent 4835	13b0b96d7982
child 4970	1f3d8946ea84
permissions	-rw-r--r--