14 |
14 |
15 |
15 |
16 def check_entity_attributes(session, entity, editedattrs=None): |
16 def check_entity_attributes(session, entity, editedattrs=None): |
17 eid = entity.eid |
17 eid = entity.eid |
18 eschema = entity.e_schema |
18 eschema = entity.e_schema |
19 # ._default_set is only there on entity creation to indicate unspecified |
19 # .skip_security_attributes is there to bypass security for attributes |
20 # attributes which has been set to a default value defined in the schema |
20 # set by hooks by modifying the entity's dictionnary |
21 defaults = getattr(entity, '_default_set', ()) |
21 dontcheck = entity.skip_security_attributes |
22 if editedattrs is None: |
22 if editedattrs is None: |
23 try: |
23 try: |
24 editedattrs = entity.edited_attributes |
24 editedattrs = entity.edited_attributes |
25 except AttributeError: |
25 except AttributeError: |
26 editedattrs = entity |
26 editedattrs = entity # XXX unexpected |
27 for attr in editedattrs: |
27 for attr in editedattrs: |
28 if attr in defaults: |
28 try: |
|
29 dontcheck.remove(attr) |
29 continue |
30 continue |
|
31 except KeyError: |
|
32 pass |
30 rdef = eschema.rdef(attr) |
33 rdef = eschema.rdef(attr) |
31 if rdef.final: # non final relation are checked by other hooks |
34 if rdef.final: # non final relation are checked by other hooks |
32 # add/delete should be equivalent (XXX: unify them into 'update' ?) |
35 # add/delete should be equivalent (XXX: unify them into 'update' ?) |
33 rdef.check_perm(session, 'update', eid=eid) |
36 rdef.check_perm(session, 'update', eid=eid) |
34 |
37 |