295 * permissions are assigned to groups (and not to users) |
295 * permissions are assigned to groups (and not to users) |
296 |
296 |
297 For *CubicWeb* in particular: |
297 For *CubicWeb* in particular: |
298 |
298 |
299 * we associate rights at the entities/relations schema level |
299 * we associate rights at the entities/relations schema level |
300 * for each entity, we distinguish four kinds of permissions: `read`, |
300 |
301 `add`, `update` and `delete` |
|
302 * for each relation, we distinguish three kinds of permissions: `read`, |
|
303 `add` and `delete` (it is not possible to `modify` a relation) |
|
304 * the default groups are: `administrators`, `users` and `guests` |
301 * the default groups are: `administrators`, `users` and `guests` |
305 * by default, users belong to the `users` group |
302 |
306 * there is a virtual group called `owners` to which we |
303 * users belong to the `users` group |
307 can associate only `delete` and `update` permissions |
304 |
308 |
305 * there is a virtual group called `owners` to which we can associate only |
309 * we can not add users to the `Owners` group, they are |
306 `delete` and `update` permissions |
310 implicitly added to it according to the context of the objects |
307 |
311 they own |
308 * we can not add users to the `owners` group, they are implicitly added to it |
312 * the permissions of this group are only checked on `update`/`delete` |
309 according to the context of the objects they own |
313 actions if all the other groups the user belongs to do not provide |
310 |
314 those permissions |
311 * the permissions of this group are only checked on `update`/`delete` actions |
|
312 if all the other groups the user belongs to do not provide those permissions |
315 |
313 |
316 Setting permissions is done with the attribute `__permissions__` of entities and |
314 Setting permissions is done with the attribute `__permissions__` of entities and |
317 relation types. The value of this attribute is a dictionary where the keys are the access types |
315 relation definition. The value of this attribute is a dictionary where the keys |
318 (action), and the values are the authorized groups or expressions. |
316 are the access types (action), and the values are the authorized groups or |
|
317 expressions. |
319 |
318 |
320 For an entity type, the possible actions are `read`, `add`, `update` and |
319 For an entity type, the possible actions are `read`, `add`, `update` and |
321 `delete`. |
320 `delete`. |
322 |
321 |
323 For a relation type, the possible actions are `read`, `add`, and `delete`. |
322 For a relation, the possible actions are `read`, `add`, and `delete`. |
|
323 |
|
324 For an attribute, the possible actions are `read`, and `update`. |
324 |
325 |
325 For each access type, a tuple indicates the name of the authorized groups and/or |
326 For each access type, a tuple indicates the name of the authorized groups and/or |
326 one or multiple RQL expressions to satisfy to grant access. The access is |
327 one or multiple RQL expressions to satisfy to grant access. The access is |
327 provided if the user is in one of the listed groups or if one of the RQL condition |
328 provided if the user is in one of the listed groups or if one of the RQL condition |
328 is satisfied. |
329 is satisfied. |
329 |
330 |
|
331 |
330 The standard user groups |
332 The standard user groups |
331 ```````````````````````` |
333 ```````````````````````` |
332 |
334 |
333 * `guests` |
335 * `guests` |
334 |
336 |
338 |
340 |
339 * `owners`: virtual group corresponding to the entity's owner. |
341 * `owners`: virtual group corresponding to the entity's owner. |
340 This can only be used for the actions `update` and `delete` of an entity |
342 This can only be used for the actions `update` and `delete` of an entity |
341 type. |
343 type. |
342 |
344 |
343 It is also possible to use specific groups if they are defined in the |
345 It is also possible to use specific groups if they are defined in the precreate |
344 precreate script of the cube (``migration/precreate.py``). Defining groups in |
346 script of the cube (``migration/precreate.py``). Defining groups in postcreate |
345 postcreate script or later makes them unavailable for security |
347 script or later makes them unavailable for security purposes (in this case, an |
346 purposes (in this case, an `sync_schema_props_perms` command has to |
348 `sync_schema_props_perms` command has to be issued in a CubicWeb shell). |
347 be issued in a CubicWeb shell). |
|
348 |
349 |
349 |
350 |
350 Use of RQL expression for write permissions |
351 Use of RQL expression for write permissions |
351 ``````````````````````````````````````````` |
352 ``````````````````````````````````````````` |
352 It is possible to define RQL expression to provide update permission |
353 |
353 (`add`, `delete` and `update`) on relation and entity types. |
354 It is possible to define RQL expression to provide update permission (`add`, |
354 |
355 `delete` and `update`) on entity type / relation definitions. An rql expression |
355 RQL expression for entity type permission: |
356 is a piece of query (corresponds to the WHERE statement of an RQL query), and the |
356 |
357 expression will be considered as satisfied if it returns some results. They can |
357 * you have to use the class `ERQLExpression` |
358 not be used in `read` permission. |
358 |
359 |
359 * the used expression corresponds to the WHERE statement of an RQL query |
360 To use RQL expression in entity type permission: |
|
361 |
|
362 * you have to use the class :class:`~cubicweb.schema.ERQLExpression` |
360 |
363 |
361 * in this expression, the variables `X` and `U` are pre-defined references |
364 * in this expression, the variables `X` and `U` are pre-defined references |
362 respectively on the current entity (on which the action is verified) and |
365 respectively on the current entity (on which the action is verified) and on the |
363 on the user who send the request |
366 user who send the request |
364 |
367 |
365 * it is possible to use, in this expression, a special relation |
368 For RQL expressions on a relation type, the principles are the same except for |
366 "has_<ACTION>_permission" where the subject is the user and the |
369 the following: |
367 object is any variable, meaning that the user needs to have |
370 |
368 permission to execute the action <ACTION> on the entities related |
371 * you have to use the class :class:`~cubicweb.schema.RRQLExpression` instead of |
369 to this variable |
372 :class:`~cubicweb.schema.ERQLExpression` |
370 |
373 |
371 For RQL expressions on a relation type, the principles are the same except |
374 * in the expression, the variables `S`, `O` and `U` are pre-defined references to |
372 for the following: |
375 respectively the subject and the object of the current relation (on which the |
373 |
376 action is being verified) and the user who executed the query |
374 * you have to use the class `RRQLExpression` in the case of a non-final relation |
377 |
375 |
378 To define security for attributes of an entity (non-final relation), you have to |
376 * in the expression, the variables `S`, `O` and `U` are pre-defined references |
379 use the class :class:`~cubicweb.schema.ERQLExpression` in which `X` represents |
377 to respectively the subject and the object of the current relation (on |
380 the entity the attribute belongs to. |
378 which the action is being verified) and the user who executed the query |
381 |
379 |
382 It is possible to use in those expression a special relation |
380 * we can also define rights over attributes of an entity (non-final relation), |
383 `has_<ACTION>_permission` where the subject is the user (eg 'U') and the object |
381 knowing that: |
384 is any variable representing an entity (usually 'X' in |
382 |
385 :class:`~cubicweb.schema.ERQLExpression`, 'S' or 'O' in |
383 - to define RQL expression, we have to use the class `ERQLExpression` |
386 :class:`~cubicweb.schema.RRQLExpression`), meaning that the user needs to have |
384 in which `X` represents the entity the attribute belongs to |
387 permission to execute the action <ACTION> on the entities represented by this |
385 |
388 variable. It's recommanded to use this feature whenever possible since it |
386 - the permissions `add` and `delete` are equivalent. Only `add`/`read` |
389 simplify greatly complex security definition and upgrade. |
387 are actually taken in consideration. |
390 |
|
391 |
|
392 .. sourcecode:: python |
|
393 |
|
394 class my_relation(RelationDefinition): |
|
395 __permissions__ = {'read': ('managers', 'users'), |
|
396 'add': ('managers', RRQLExpression('U has_update_permission S')), |
|
397 'delete': ('managers', RRQLExpression('U has_update_permission S')) |
|
398 } |
|
399 |
|
400 In the above example, user will be allowed to add/delete `my_relation` if he has |
|
401 the `update` permission on the subject of the relation. |
388 |
402 |
389 .. note:: |
403 .. note:: |
390 |
404 |
391 Potentially, the `use of an RQL expression to add an entity or a |
405 Potentially, the `use of an RQL expression to add an entity or a relation` can |
392 relation` can cause problems for the user interface, because if the |
406 cause problems for the user interface, because if the expression uses the |
393 expression uses the entity or the relation to create, then we are |
407 entity or the relation to create, we are not able to verify the permissions |
394 not able to verify the permissions before we actually add the entity |
408 before we actually added the entity (please note that this is not a problem for |
395 (please note that this is not a problem for the RQL server at all, |
409 the RQL server at all, because the permissions checks are done after the |
396 because the permissions checks are done after the creation). In such |
410 creation). In such case, the permission check methods |
397 case, the permission check methods (CubicWebEntitySchema.check_perm |
411 (CubicWebEntitySchema.check_perm and has_perm) can indicate that the user is |
398 and has_perm) can indicate that the user is not allowed to create |
412 not allowed to create this entity while it would obtain the permission. To |
399 this entity but can obtain the permission. To compensate this |
413 compensate this problem, it is usually necessary in such case to use an action |
400 problem, it is usually necessary, for such case, to use an action |
414 that reflects the schema permissions but which check properly the permissions |
401 that reflects the schema permissions but which enables to check |
415 so that it would show up only if possible. |
402 properly the permissions so that it would show up if necessary. |
|
403 |
416 |
404 |
417 |
405 Use of RQL expression for reading rights |
418 Use of RQL expression for reading rights |
406 ```````````````````````````````````````` |
419 ```````````````````````````````````````` |
407 |
420 |
408 The principles are the same but with the following restrictions: |
421 The principles are the same but with the following restrictions: |
409 |
422 |
410 * we can not use `RRQLExpression` on relation types for reading |
423 * you can not use rql expression for the `read` permission of relations and |
411 |
424 attributes, |
412 * special relations "has_<ACTION>_permission" can not be used |
425 |
|
426 * you can not use special `has_<ACTION>_permission` relation in the rql |
|
427 expression. |
413 |
428 |
414 |
429 |
415 Important notes about write permissions checking |
430 Important notes about write permissions checking |
416 ```````````````````````````````````````````````` |
431 ```````````````````````````````````````````````` |
417 |
432 |