41 |
41 |
42 from rql import parse, nodes, RQLSyntaxError, TypeResolverException |
42 from rql import parse, nodes, RQLSyntaxError, TypeResolverException |
43 |
43 |
44 import cubicweb |
44 import cubicweb |
45 from cubicweb import ETYPE_NAME_MAP, ValidationError, Unauthorized |
45 from cubicweb import ETYPE_NAME_MAP, ValidationError, Unauthorized |
|
46 |
|
47 try: |
|
48 from cubicweb import server |
|
49 except ImportError: |
|
50 # We need to lookup DEBUG from there, |
|
51 # however a pure dbapi client may not have it. |
|
52 class server(object): pass |
|
53 server.DEBUG = False |
|
54 |
46 |
55 |
47 PURE_VIRTUAL_RTYPES = set(('identity', 'has_text',)) |
56 PURE_VIRTUAL_RTYPES = set(('identity', 'has_text',)) |
48 VIRTUAL_RTYPES = set(('eid', 'identity', 'has_text',)) |
57 VIRTUAL_RTYPES = set(('eid', 'identity', 'has_text',)) |
49 |
58 |
50 # set of meta-relations available for every entity types |
59 # set of meta-relations available for every entity types |
266 return True |
275 return True |
267 except Unauthorized: |
276 except Unauthorized: |
268 return False |
277 return False |
269 PermissionMixIn.has_perm = has_perm |
278 PermissionMixIn.has_perm = has_perm |
270 |
279 |
|
280 |
271 def check_perm(self, _cw, action, **kwargs): |
281 def check_perm(self, _cw, action, **kwargs): |
272 # NB: _cw may be a server transaction or a request object. |
282 # NB: _cw may be a server transaction or a request object. |
273 # |
283 # |
274 # check user is in an allowed group, if so that's enough internal |
284 # check user is in an allowed group, if so that's enough internal |
275 # transactions should always stop there |
285 # transactions should always stop there |
|
286 DBG = False |
|
287 if server.DEBUG & server.DBG_SEC: |
|
288 if action in server._SECURITY_CAPS: |
|
289 _self_str = str(self) |
|
290 if server._SECURITY_ITEMS: |
|
291 if any(item in _self_str for item in server._SECURITY_ITEMS): |
|
292 DBG = True |
|
293 else: |
|
294 DBG = True |
276 groups = self.get_groups(action) |
295 groups = self.get_groups(action) |
277 if _cw.user.matching_groups(groups): |
296 if _cw.user.matching_groups(groups): |
|
297 if DBG: |
|
298 print 'check_perm: %r %r: user matches %s' % (action, _self_str, groups) |
278 return |
299 return |
279 # if 'owners' in allowed groups, check if the user actually owns this |
300 # if 'owners' in allowed groups, check if the user actually owns this |
280 # object, if so that's enough |
301 # object, if so that's enough |
281 # |
302 # |
282 # NB: give _cw to user.owns since user is not be bound to a transaction on |
303 # NB: give _cw to user.owns since user is not be bound to a transaction on |
283 # the repository side |
304 # the repository side |
284 if 'owners' in groups and ( |
305 if 'owners' in groups and ( |
285 kwargs.get('creating') |
306 kwargs.get('creating') |
286 or ('eid' in kwargs and _cw.user.owns(kwargs['eid']))): |
307 or ('eid' in kwargs and _cw.user.owns(kwargs['eid']))): |
|
308 if DBG: |
|
309 print ('check_perm: %r %r: user is owner or creation time' % |
|
310 (action, _self_str)) |
287 return |
311 return |
288 # else if there is some rql expressions, check them |
312 # else if there is some rql expressions, check them |
|
313 if DBG: |
|
314 print ('check_perm: %r %r %s' % |
|
315 (action, _self_str, [(rqlexpr, kwargs, rqlexpr.check(_cw, **kwargs)) |
|
316 for rqlexpr in self.get_rqlexprs(action)])) |
289 if any(rqlexpr.check(_cw, **kwargs) |
317 if any(rqlexpr.check(_cw, **kwargs) |
290 for rqlexpr in self.get_rqlexprs(action)): |
318 for rqlexpr in self.get_rqlexprs(action)): |
291 return |
319 return |
292 raise Unauthorized(action, str(self)) |
320 raise Unauthorized(action, str(self)) |
293 PermissionMixIn.check_perm = check_perm |
321 PermissionMixIn.check_perm = check_perm |