281 for group_or_rqlexpr in groups: |
281 for group_or_rqlexpr in groups: |
282 if action == 'read' and \ |
282 if action == 'read' and \ |
283 isinstance(group_or_rqlexpr, RQLExpression): |
283 isinstance(group_or_rqlexpr, RQLExpression): |
284 msg = "can't use rql expression for read permission of %s" |
284 msg = "can't use rql expression for read permission of %s" |
285 raise BadSchemaDefinition(msg % self) |
285 raise BadSchemaDefinition(msg % self) |
286 elif self.final and isinstance(group_or_rqlexpr, RRQLExpression): |
286 if self.final and isinstance(group_or_rqlexpr, RRQLExpression): |
287 if schema.reading_from_database: |
287 msg = "can't use RRQLExpression on %s, use an ERQLExpression" |
288 # we didn't have final relation earlier, so turn |
288 raise BadSchemaDefinition(msg % self) |
289 # RRQLExpression into ERQLExpression now |
289 if not self.final and isinstance(group_or_rqlexpr, ERQLExpression): |
290 rqlexpr = group_or_rqlexpr |
|
291 newrqlexprs = [x for x in self.get_rqlexprs(action) |
|
292 if not x is rqlexpr] |
|
293 newrqlexprs.append(ERQLExpression(rqlexpr.expression, |
|
294 rqlexpr.mainvars, |
|
295 rqlexpr.eid)) |
|
296 self.set_rqlexprs(action, newrqlexprs) |
|
297 else: |
|
298 msg = "can't use RRQLExpression on %s, use an ERQLExpression" |
|
299 raise BadSchemaDefinition(msg % self) |
|
300 elif not self.final and \ |
|
301 isinstance(group_or_rqlexpr, ERQLExpression): |
|
302 msg = "can't use ERQLExpression on %s, use a RRQLExpression" |
290 msg = "can't use ERQLExpression on %s, use a RRQLExpression" |
303 raise BadSchemaDefinition(msg % self) |
291 raise BadSchemaDefinition(msg % self) |
304 RelationDefinitionSchema.check_permission_definitions = check_permission_definitions |
292 RelationDefinitionSchema.check_permission_definitions = check_permission_definitions |
305 |
293 |
306 |
294 |
312 def __init__(self, schema=None, edef=None, eid=None, **kwargs): |
300 def __init__(self, schema=None, edef=None, eid=None, **kwargs): |
313 super(CubicWebEntitySchema, self).__init__(schema, edef, **kwargs) |
301 super(CubicWebEntitySchema, self).__init__(schema, edef, **kwargs) |
314 if eid is None and edef is not None: |
302 if eid is None and edef is not None: |
315 eid = getattr(edef, 'eid', None) |
303 eid = getattr(edef, 'eid', None) |
316 self.eid = eid |
304 self.eid = eid |
317 # take care: no _groups attribute when deep-copying |
305 |
318 if getattr(self, 'permissions', None): |
306 def check_permission_definitions(self): |
319 for groups in self.permissions.itervalues(): |
307 super(CubicWebEntitySchema, self).check_permission_definitions() |
320 for group_or_rqlexpr in groups: |
308 for groups in self.permissions.itervalues(): |
321 if isinstance(group_or_rqlexpr, RRQLExpression): |
309 for group_or_rqlexpr in groups: |
322 msg = "can't use RRQLExpression on an entity type, use an ERQLExpression (%s)" |
310 if isinstance(group_or_rqlexpr, RRQLExpression): |
323 raise BadSchemaDefinition(msg % self.type) |
311 msg = "can't use RRQLExpression on %s, use an ERQLExpression" |
|
312 raise BadSchemaDefinition(msg % self.type) |
324 |
313 |
325 def attribute_definitions(self): |
314 def attribute_definitions(self): |
326 """return an iterator on attribute definitions |
315 """return an iterator on attribute definitions |
327 |
316 |
328 attribute relations are a subset of subject relations where the |
317 attribute relations are a subset of subject relations where the |
424 return True |
413 return True |
425 return False |
414 return False |
426 |
415 |
427 def has_perm(self, session, action, **kwargs): |
416 def has_perm(self, session, action, **kwargs): |
428 """return true if the action is granted globaly or localy""" |
417 """return true if the action is granted globaly or localy""" |
429 if 'fromeid' in kwargs: |
418 if self.final: |
430 subjtype = session.describe(kwargs['fromeid'])[0] |
419 assert not ('fromeid' in kwargs or 'toeid' in kwargs), kwargs |
|
420 assert action in ('read', 'update') |
|
421 if 'eid' in kwargs: |
|
422 subjtype = session.describe(kwargs['eid'])[0] |
|
423 else: |
|
424 subjtype = objtype = None |
431 else: |
425 else: |
432 subjtype = None |
426 assert not 'eid' in kwargs, kwargs |
433 if 'toeid' in kwargs: |
427 assert action in ('read', 'add', 'delete') |
434 objtype = session.describe(kwargs['toeid'])[0] |
428 if 'fromeid' in kwargs: |
435 else: |
429 subjtype = session.describe(kwargs['fromeid'])[0] |
436 objtype = None |
430 else: |
|
431 subjtype = None |
|
432 if 'toeid' in kwargs: |
|
433 objtype = session.describe(kwargs['toeid'])[0] |
|
434 else: |
|
435 objtype = None |
437 if objtype and subjtype: |
436 if objtype and subjtype: |
438 return self.rdef(subjtype, objtype).has_perm(session, action, **kwargs) |
437 return self.rdef(subjtype, objtype).has_perm(session, action, **kwargs) |
439 elif subjtype: |
438 elif subjtype: |
440 for tschema in self.targets(subjtype, 'subject'): |
439 for tschema in self.targets(subjtype, 'subject'): |
441 rdef = self.rdef(subjtype, tschema) |
440 rdef = self.rdef(subjtype, tschema) |
917 if toeid is None: |
916 if toeid is None: |
918 return False |
917 return False |
919 kwargs['o'] = toeid |
918 kwargs['o'] = toeid |
920 return self._check(session, **kwargs) |
919 return self._check(session, **kwargs) |
921 |
920 |
|
921 # in yams, default 'update' perm for attributes granted to managers and owners. |
|
922 # Within cw, we want to default to users who may edit the entity holding the |
|
923 # attribute. |
|
924 ybo.DEFAULT_ATTRPERMS['update'] = ( |
|
925 'managers', ERQLExpression('U has_update_permission X')) |
922 |
926 |
923 # workflow extensions ######################################################### |
927 # workflow extensions ######################################################### |
924 |
928 |
925 from yams.buildobjs import _add_relation as yams_add_relation |
929 from yams.buildobjs import _add_relation as yams_add_relation |
926 |
930 |