1 """Security hooks: check permissions to add/delete/update entities according to |
|
2 the user connected to a session |
|
3 |
|
4 :organization: Logilab |
|
5 :copyright: 2001-2009 LOGILAB S.A. (Paris, FRANCE), license is LGPL v2. |
|
6 :contact: http://www.logilab.fr/ -- mailto:contact@logilab.fr |
|
7 :license: GNU Lesser General Public License, v2.1 - http://www.gnu.org/licenses |
|
8 """ |
|
9 __docformat__ = "restructuredtext en" |
|
10 |
|
11 from cubicweb import Unauthorized |
|
12 from cubicweb.server.pool import LateOperation |
|
13 from cubicweb.server import BEFORE_ADD_RELATIONS, ON_COMMIT_ADD_RELATIONS |
|
14 |
|
15 def check_entity_attributes(session, entity): |
|
16 eid = entity.eid |
|
17 eschema = entity.e_schema |
|
18 # ._default_set is only there on entity creation to indicate unspecified |
|
19 # attributes which has been set to a default value defined in the schema |
|
20 defaults = getattr(entity, '_default_set', ()) |
|
21 try: |
|
22 editedattrs = entity.edited_attributes |
|
23 except AttributeError: |
|
24 editedattrs = entity.keys() |
|
25 for attr in editedattrs: |
|
26 if attr in defaults: |
|
27 continue |
|
28 rschema = eschema.subject_relation(attr) |
|
29 if rschema.is_final(): # non final relation are checked by other hooks |
|
30 # add/delete should be equivalent (XXX: unify them into 'update' ?) |
|
31 rschema.check_perm(session, 'add', eid) |
|
32 |
|
33 |
|
34 class CheckEntityPermissionOp(LateOperation): |
|
35 def precommit_event(self): |
|
36 #print 'CheckEntityPermissionOp', self.session.user, self.entity, self.action |
|
37 self.entity.check_perm(self.action) |
|
38 check_entity_attributes(self.session, self.entity) |
|
39 |
|
40 def commit_event(self): |
|
41 pass |
|
42 |
|
43 |
|
44 class CheckRelationPermissionOp(LateOperation): |
|
45 def precommit_event(self): |
|
46 self.rschema.check_perm(self.session, self.action, self.fromeid, self.toeid) |
|
47 |
|
48 def commit_event(self): |
|
49 pass |
|
50 |
|
51 def after_add_entity(session, entity): |
|
52 if not session.is_super_session: |
|
53 CheckEntityPermissionOp(session, entity=entity, action='add') |
|
54 |
|
55 def after_update_entity(session, entity): |
|
56 if not session.is_super_session: |
|
57 try: |
|
58 # check user has permission right now, if not retry at commit time |
|
59 entity.check_perm('update') |
|
60 check_entity_attributes(session, entity) |
|
61 except Unauthorized: |
|
62 entity.clear_local_perm_cache('update') |
|
63 CheckEntityPermissionOp(session, entity=entity, action='update') |
|
64 |
|
65 def before_del_entity(session, eid): |
|
66 if not session.is_super_session: |
|
67 eschema = session.repo.schema[session.describe(eid)[0]] |
|
68 eschema.check_perm(session, 'delete', eid) |
|
69 |
|
70 |
|
71 def before_add_relation(session, fromeid, rtype, toeid): |
|
72 if rtype in BEFORE_ADD_RELATIONS and not session.is_super_session: |
|
73 rschema = session.repo.schema[rtype] |
|
74 rschema.check_perm(session, 'add', fromeid, toeid) |
|
75 |
|
76 def after_add_relation(session, fromeid, rtype, toeid): |
|
77 if not rtype in BEFORE_ADD_RELATIONS and not session.is_super_session: |
|
78 rschema = session.repo.schema[rtype] |
|
79 if rtype in ON_COMMIT_ADD_RELATIONS: |
|
80 CheckRelationPermissionOp(session, action='add', rschema=rschema, |
|
81 fromeid=fromeid, toeid=toeid) |
|
82 else: |
|
83 rschema.check_perm(session, 'add', fromeid, toeid) |
|
84 |
|
85 def before_del_relation(session, fromeid, rtype, toeid): |
|
86 if not session.is_super_session: |
|
87 session.repo.schema[rtype].check_perm(session, 'delete', fromeid, toeid) |
|
88 |
|
89 def register_security_hooks(hm): |
|
90 """register meta-data related hooks on the hooks manager""" |
|
91 hm.register_hook(after_add_entity, 'after_add_entity', '') |
|
92 hm.register_hook(after_update_entity, 'after_update_entity', '') |
|
93 hm.register_hook(before_del_entity, 'before_delete_entity', '') |
|
94 hm.register_hook(before_add_relation, 'before_add_relation', '') |
|
95 hm.register_hook(after_add_relation, 'after_add_relation', '') |
|
96 hm.register_hook(before_del_relation, 'before_delete_relation', '') |
|
97 |
|