cubicweb: comparison schema.py

equal deleted inserted replaced

-:43b4895a150f
+:79b9bf88be28
 __docformat__ = "restructuredtext en"
 _ = unicode
 import re
-from os.path import join
+from os.path import join, basename
 from logging import getLogger
 from warnings import warn
+from logilab.common import tempattr
 from logilab.common.decorators import cached, clear_cache, monkeypatch, cachedproperty
 from logilab.common.logging_ext import set_log_methods
 from logilab.common.deprecation import deprecated, class_moved, moved
 from logilab.common.textutils import splitstrip
 from logilab.common.graph import get_cycles
 from rql import parse, nodes, RQLSyntaxError, TypeResolverException
 import cubicweb
 from cubicweb import ETYPE_NAME_MAP, ValidationError, Unauthorized
+try:
+from cubicweb import server
+except ImportError:
+# We need to lookup DEBUG from there,
+# however a pure dbapi client may not have it.
+class server(object): pass
+server.DEBUG = False
 PURE_VIRTUAL_RTYPES = set(('identity', 'has_text',))
 VIRTUAL_RTYPES = set(('eid', 'identity', 'has_text',))
 # set of meta-relations available for every entity types
 _LOGGER = getLogger('cubicweb.schemaloader')
 # entity and relation schema created from serialized schema have an eid
 ybo.ETYPE_PROPERTIES += ('eid',)
 ybo.RTYPE_PROPERTIES += ('eid',)
-PUB_SYSTEM_ENTITY_PERMS = {
-'read':   ('managers', 'users', 'guests',),
-'add':    ('managers',),
-'delete': ('managers',),
-'update': ('managers',),
-}
-PUB_SYSTEM_REL_PERMS = {
-'read':   ('managers', 'users', 'guests',),
-'add':    ('managers',),
-'delete': ('managers',),
-}
-PUB_SYSTEM_ATTR_PERMS = {
-'read':   ('managers', 'users', 'guests',),
-'update': ('managers',),
-}
-RO_REL_PERMS = {
-'read':   ('managers', 'users', 'guests',),
-'add':    (),
-'delete': (),
-}
-RO_ATTR_PERMS = {
-'read':   ('managers', 'users', 'guests',),
-'update': (),
-}
-# XXX same algorithm as in reorder_cubes and probably other place,
-# may probably extract a generic function
-def order_eschemas(eschemas):
-"""return entity schemas ordered such that entity types which specializes an
-other one appears after that one
-"""
-graph = {}
-for eschema in eschemas:
-if eschema.specializes():
-graph[eschema] = set((eschema.specializes(),))
-else:
-graph[eschema] = set()
-cycles = get_cycles(graph)
-if cycles:
-cycles = '\n'.join(' -> '.join(cycle) for cycle in cycles)
-raise Exception('cycles in entity schema specialization: %s'
-% cycles)
-eschemas = []
-while graph:
-# sorted to get predictable results
-for eschema, deps in sorted(graph.items()):
-if not deps:
-eschemas.append(eschema)
-del graph[eschema]
-for deps in graph.itervalues():
-try:
-deps.remove(eschema)
-except KeyError:
-continue
-return eschemas
-def bw_normalize_etype(etype):
-if etype in ETYPE_NAME_MAP:
-msg = '%s has been renamed to %s, please update your code' % (
-etype, ETYPE_NAME_MAP[etype])
-warn(msg, DeprecationWarning, stacklevel=4)
-etype = ETYPE_NAME_MAP[etype]
-return etype
-def display_name(req, key, form='', context=None):
-"""return a internationalized string for the key (schema entity or relation
-name) in a given form
-"""
-assert form in ('', 'plural', 'subject', 'object')
-if form == 'subject':
-form = ''
-if form:
-key = key + '_' + form
-# ensure unicode
-if context is not None:
-return unicode(req.pgettext(context, key))
-else:
-return unicode(req._(key))
-# Schema objects definition ###################################################
-def ERSchema_display_name(self, req, form='', context=None):
-"""return a internationalized string for the entity/relation type name in
-a given form
-"""
-return display_name(req, self.type, form, context)
-ERSchema.display_name = ERSchema_display_name
-@cached
-def get_groups(self, action):
-"""return the groups authorized to perform <action> on entities of
-this type
-:type action: str
-:param action: the name of a permission
-:rtype: tuple
-:return: names of the groups with the given permission
-"""
-assert action in self.ACTIONS, action
-#assert action in self._groups, '%s %s' % (self, action)
-try:
-return frozenset(g for g in self.permissions[action] if isinstance(g, basestring))
-except KeyError:
-return ()
-PermissionMixIn.get_groups = get_groups
-@cached
-def get_rqlexprs(self, action):
-"""return the rql expressions representing queries to check the user is allowed
-to perform <action> on entities of this type
-:type action: str
-:param action: the name of a permission
-:rtype: tuple
-:return: the rql expressions with the given permission
-"""
-assert action in self.ACTIONS, action
-#assert action in self._rqlexprs, '%s %s' % (self, action)
-try:
-return tuple(g for g in self.permissions[action] if not isinstance(g, basestring))
-except KeyError:
-return ()
-PermissionMixIn.get_rqlexprs = get_rqlexprs
-orig_set_action_permissions = PermissionMixIn.set_action_permissions
-def set_action_permissions(self, action, permissions):
-"""set the groups and rql expressions allowing to perform <action> on
-entities of this type
-:type action: str
-:param action: the name of a permission
-:type permissions: tuple
-:param permissions: the groups and rql expressions allowing the given action
-"""
-orig_set_action_permissions(self, action, tuple(permissions))
-clear_cache(self, 'get_rqlexprs')
-clear_cache(self, 'get_groups')
-PermissionMixIn.set_action_permissions = set_action_permissions
-def has_local_role(self, action):
-"""return true if the action *may* be granted localy (eg either rql
-expressions or the owners group are used in security definition)
-XXX this method is only there since we don't know well how to deal with
-'add' action checking. Also find a better name would be nice.
-"""
-assert action in self.ACTIONS, action
-if self.get_rqlexprs(action):
-return True
-if action in ('update', 'delete'):
-return 'owners' in self.get_groups(action)
-return False
-PermissionMixIn.has_local_role = has_local_role
-def may_have_permission(self, action, req):
-if action != 'read' and not (self.has_local_role('read') or
-self.has_perm(req, 'read')):
-return False
-return self.has_local_role(action) or self.has_perm(req, action)
-PermissionMixIn.may_have_permission = may_have_permission
-def has_perm(self, _cw, action, **kwargs):
-"""return true if the action is granted globaly or localy"""
-try:
-self.check_perm(_cw, action, **kwargs)
-return True
-except Unauthorized:
-return False
-PermissionMixIn.has_perm = has_perm
-def check_perm(self, _cw, action, **kwargs):
-# NB: _cw may be a server transaction or a request object.
-#
-# check user is in an allowed group, if so that's enough internal
-# transactions should always stop there
-groups = self.get_groups(action)
-if _cw.user.matching_groups(groups):
-return
-# if 'owners' in allowed groups, check if the user actually owns this
-# object, if so that's enough
-#
-# NB: give _cw to user.owns since user is not be bound to a transaction on
-# the repository side
-if 'owners' in groups and (
-kwargs.get('creating')
-or ('eid' in kwargs and _cw.user.owns(kwargs['eid']))):
-return
-# else if there is some rql expressions, check them
-if any(rqlexpr.check(_cw, **kwargs)
-for rqlexpr in self.get_rqlexprs(action)):
-return
-raise Unauthorized(action, str(self))
-PermissionMixIn.check_perm = check_perm
-RelationDefinitionSchema._RPROPERTIES['eid'] = None
-# remember rproperties defined at this point. Others will have to be serialized in
-# CWAttribute.extra_props
-KNOWN_RPROPERTIES = RelationDefinitionSchema.ALL_PROPERTIES()
-def rql_expression(self, expression, mainvars=None, eid=None):
-"""rql expression factory"""
-if self.rtype.final:
-return ERQLExpression(expression, mainvars, eid)
-return RRQLExpression(expression, mainvars, eid)
-RelationDefinitionSchema.rql_expression = rql_expression
-orig_check_permission_definitions = RelationDefinitionSchema.check_permission_definitions
-def check_permission_definitions(self):
-orig_check_permission_definitions(self)
-schema = self.subject.schema
-for action, groups in self.permissions.iteritems():
-for group_or_rqlexpr in groups:
-if action == 'read' and \
-isinstance(group_or_rqlexpr, RQLExpression):
-msg = "can't use rql expression for read permission of %s"
-raise BadSchemaDefinition(msg % self)
-if self.final and isinstance(group_or_rqlexpr, RRQLExpression):
-msg = "can't use RRQLExpression on %s, use an ERQLExpression"
-raise BadSchemaDefinition(msg % self)
-if not self.final and isinstance(group_or_rqlexpr, ERQLExpression):
-msg = "can't use ERQLExpression on %s, use a RRQLExpression"
-raise BadSchemaDefinition(msg % self)
-RelationDefinitionSchema.check_permission_definitions = check_permission_definitions
-class CubicWebEntitySchema(EntitySchema):
-"""a entity has a type, a set of subject and or object relations
-the entity schema defines the possible relations for a given type and some
-constraints on those relations
-"""
-def __init__(self, schema=None, edef=None, eid=None, **kwargs):
-super(CubicWebEntitySchema, self).__init__(schema, edef, **kwargs)
-if eid is None and edef is not None:
-eid = getattr(edef, 'eid', None)
-self.eid = eid
-def check_permission_definitions(self):
-super(CubicWebEntitySchema, self).check_permission_definitions()
-for groups in self.permissions.itervalues():
-for group_or_rqlexpr in groups:
-if isinstance(group_or_rqlexpr, RRQLExpression):
-msg = "can't use RRQLExpression on %s, use an ERQLExpression"
-raise BadSchemaDefinition(msg % self.type)
-def is_subobject(self, strict=False, skiprels=None):
-if skiprels is None:
-skiprels = SKIP_COMPOSITE_RELS
-else:
-skiprels += SKIP_COMPOSITE_RELS
-return super(CubicWebEntitySchema, self).is_subobject(strict,
-skiprels=skiprels)
-def attribute_definitions(self):
-"""return an iterator on attribute definitions
-attribute relations are a subset of subject relations where the
-object's type is a final entity
-an attribute definition is a 2-uple :
-* name of the relation
-* schema of the destination entity type
-"""
-iter = super(CubicWebEntitySchema, self).attribute_definitions()
-for rschema, attrschema in iter:
-if rschema.type == 'has_text':
-continue
-yield rschema, attrschema
-def main_attribute(self):
-"""convenience method that returns the *main* (i.e. the first non meta)
-attribute defined in the entity schema
-"""
-for rschema, _ in self.attribute_definitions():
-if not (rschema in META_RTYPES
-or self.is_metadata(rschema)):
-return rschema
-def add_subject_relation(self, rschema):
-"""register the relation schema as possible subject relation"""
-super(CubicWebEntitySchema, self).add_subject_relation(rschema)
-if rschema.final:
-if self.rdef(rschema).get('fulltextindexed'):
-self._update_has_text()
-elif rschema.fulltext_container:
-self._update_has_text()
-def add_object_relation(self, rschema):
-"""register the relation schema as possible object relation"""
-super(CubicWebEntitySchema, self).add_object_relation(rschema)
-if rschema.fulltext_container:
-self._update_has_text()
-def del_subject_relation(self, rtype):
-super(CubicWebEntitySchema, self).del_subject_relation(rtype)
-if 'has_text' in self.subjrels:
-self._update_has_text(deletion=True)
-def del_object_relation(self, rtype):
-super(CubicWebEntitySchema, self).del_object_relation(rtype)
-if 'has_text' in self.subjrels:
-self._update_has_text(deletion=True)
-def _update_has_text(self, deletion=False):
-may_need_has_text, has_has_text = False, False
-need_has_text = None
-for rschema in self.subject_relations():
-if rschema.final:
-if rschema == 'has_text':
-has_has_text = True
-elif self.rdef(rschema).get('fulltextindexed'):
-may_need_has_text = True
-elif rschema.fulltext_container:
-if rschema.fulltext_container == 'subject':
-may_need_has_text = True
-else:
-need_has_text = False
-for rschema in self.object_relations():
-if rschema.fulltext_container:
-if rschema.fulltext_container == 'object':
-may_need_has_text = True
-else:
-need_has_text = False
-if need_has_text is None:
-need_has_text = may_need_has_text
-if need_has_text and not has_has_text and not deletion:
-rdef = ybo.RelationDefinition(self.type, 'has_text', 'String',
-__permissions__=RO_ATTR_PERMS)
-self.schema.add_relation_def(rdef)
-elif not need_has_text and has_has_text:
-# use rschema.del_relation_def and not schema.del_relation_def to
-# avoid deleting the relation type accidentally...
-self.schema['has_text'].del_relation_def(self, self.schema['String'])
-def schema_entity(self): # XXX @property for consistency with meta
-"""return True if this entity type is used to build the schema"""
-return self.type in SCHEMA_TYPES
-def rql_expression(self, expression, mainvars=None, eid=None):
-"""rql expression factory"""
-return ERQLExpression(expression, mainvars, eid)
-class CubicWebRelationSchema(RelationSchema):
-def __init__(self, schema=None, rdef=None, eid=None, **kwargs):
-if rdef is not None:
-# if this relation is inlined
-self.inlined = rdef.inlined
-super(CubicWebRelationSchema, self).__init__(schema, rdef, **kwargs)
-if eid is None and rdef is not None:
-eid = getattr(rdef, 'eid', None)
-self.eid = eid
-@property
-def meta(self):
-return self.type in META_RTYPES
-def schema_relation(self): # XXX @property for consistency with meta
-"""return True if this relation type is used to build the schema"""
-return self.type in SCHEMA_TYPES
-def may_have_permission(self, action, req, eschema=None, role=None):
-if eschema is not None:
-for tschema in self.targets(eschema, role):
-rdef = self.role_rdef(eschema, tschema, role)
-if rdef.may_have_permission(action, req):
-return True
-else:
-for rdef in self.rdefs.itervalues():
-if rdef.may_have_permission(action, req):
-return True
-return False
-def has_perm(self, _cw, action, **kwargs):
-"""return true if the action is granted globaly or localy"""
-if self.final:
-assert not ('fromeid' in kwargs or 'toeid' in kwargs), kwargs
-assert action in ('read', 'update')
-if 'eid' in kwargs:
-subjtype = _cw.describe(kwargs['eid'])[0]
-else:
-subjtype = objtype = None
-else:
-assert not 'eid' in kwargs, kwargs
-assert action in ('read', 'add', 'delete')
-if 'fromeid' in kwargs:
-subjtype = _cw.describe(kwargs['fromeid'])[0]
-elif 'frometype' in kwargs:
-subjtype = kwargs.pop('frometype')
-else:
-subjtype = None
-if 'toeid' in kwargs:
-objtype = _cw.describe(kwargs['toeid'])[0]
-elif 'toetype' in kwargs:
-objtype = kwargs.pop('toetype')
-else:
-objtype = None
-if objtype and subjtype:
-return self.rdef(subjtype, objtype).has_perm(_cw, action, **kwargs)
-elif subjtype:
-for tschema in self.targets(subjtype, 'subject'):
-rdef = self.rdef(subjtype, tschema)
-if not rdef.has_perm(_cw, action, **kwargs):
-return False
-elif objtype:
-for tschema in self.targets(objtype, 'object'):
-rdef = self.rdef(tschema, objtype)
-if not rdef.has_perm(_cw, action, **kwargs):
-return False
-else:
-for rdef in self.rdefs.itervalues():
-if not rdef.has_perm(_cw, action, **kwargs):
-return False
-return True
-@deprecated('use .rdef(subjtype, objtype).role_cardinality(role)')
-def cardinality(self, subjtype, objtype, target):
-return self.rdef(subjtype, objtype).role_cardinality(target)
-class CubicWebSchema(Schema):
-"""set of entities and relations schema defining the possible data sets
-used in an application
-:type name: str
-:ivar name: name of the schema, usually the instance identifier
-:type base: str
-:ivar base: path of the directory where the schema is defined
-"""
-reading_from_database = False
-entity_class = CubicWebEntitySchema
-relation_class = CubicWebRelationSchema
-no_specialization_inference = ('identity',)
-def __init__(self, *args, **kwargs):
-self._eid_index = {}
-super(CubicWebSchema, self).__init__(*args, **kwargs)
-ybo.register_base_types(self)
-rschema = self.add_relation_type(ybo.RelationType('eid'))
-rschema.final = True
-rschema = self.add_relation_type(ybo.RelationType('has_text'))
-rschema.final = True
-rschema = self.add_relation_type(ybo.RelationType('identity'))
-rschema.final = False
-etype_name_re = r'[A-Z][A-Za-z0-9]*[a-z]+[A-Za-z0-9]*$'
-def add_entity_type(self, edef):
-edef.name = edef.name.encode()
-edef.name = bw_normalize_etype(edef.name)
-if not re.match(self.etype_name_re, edef.name):
-raise BadSchemaDefinition(
-'%r is not a valid name for an entity type. It should start '
-'with an upper cased letter and be followed by at least a '
-'lower cased letter' % edef.name)
-eschema = super(CubicWebSchema, self).add_entity_type(edef)
-if not eschema.final:
-# automatically add the eid relation to non final entity types
-rdef = ybo.RelationDefinition(eschema.type, 'eid', 'Int',
-cardinality='11', uid=True,
-__permissions__=RO_ATTR_PERMS)
-self.add_relation_def(rdef)
-rdef = ybo.RelationDefinition(eschema.type, 'identity', eschema.type,
-__permissions__=RO_REL_PERMS)
-self.add_relation_def(rdef)
-self._eid_index[eschema.eid] = eschema
-return eschema
-def add_relation_type(self, rdef):
-if not rdef.name.islower():
-raise BadSchemaDefinition(
-'%r is not a valid name for a relation type. It should be '
-'lower cased' % rdef.name)
-rdef.name = rdef.name.encode()
-rschema = super(CubicWebSchema, self).add_relation_type(rdef)
-self._eid_index[rschema.eid] = rschema
-return rschema
-def add_relation_def(self, rdef):
-"""build a part of a relation schema
-(i.e. add a relation between two specific entity's types)
-:type subject: str
-:param subject: entity's type that is subject of the relation
-:type rtype: str
-:param rtype: the relation's type (i.e. the name of the relation)
-:type obj: str
-:param obj: entity's type that is object of the relation
-:rtype: RelationSchema
-:param: the newly created or just completed relation schema
-"""
-rdef.name = rdef.name.lower()
-rdef.subject = bw_normalize_etype(rdef.subject)
-rdef.object = bw_normalize_etype(rdef.object)
-rdefs = super(CubicWebSchema, self).add_relation_def(rdef)
-if rdefs:
-try:
-self._eid_index[rdef.eid] = rdefs
-except AttributeError:
-pass # not a serialized schema
-return rdefs
-def del_relation_type(self, rtype):
-rschema = self.rschema(rtype)
-self._eid_index.pop(rschema.eid, None)
-super(CubicWebSchema, self).del_relation_type(rtype)
-def del_relation_def(self, subjtype, rtype, objtype):
-for k, v in self._eid_index.items():
-if not isinstance(v, RelationDefinitionSchema):
-continue
-if v.subject == subjtype and v.rtype == rtype and v.object == objtype:
-del self._eid_index[k]
-break
-super(CubicWebSchema, self).del_relation_def(subjtype, rtype, objtype)
-def del_entity_type(self, etype):
-eschema = self.eschema(etype)
-self._eid_index.pop(eschema.eid, None)
-# deal with has_text first, else its automatic deletion (see above)
-# may trigger an error in ancestor's del_entity_type method
-if 'has_text' in eschema.subject_relations():
-self.del_relation_def(etype, 'has_text', 'String')
-super(CubicWebSchema, self).del_entity_type(etype)
-def schema_by_eid(self, eid):
-return self._eid_index[eid]
 # Bases for manipulating RQL in schema #########################################
 def guess_rrqlexpr_mainvars(expression):
 defined = set(split_expression(expression))
 'expression %s', mainvar, self)
 # syntax tree used by read security (inserted in queries when necessary)
 self.snippet_rqlst = parse(self.minimal_rql, print_errors=False).children[0]
 # graph of links between variables, used by rql rewriter
 self.vargraph = vargraph(self.rqlst)
+# useful for some instrumentation, e.g. localperms permcheck command
+self.package = ybo.PACKAGE
 def __str__(self):
 return self.full_rql
 def __repr__(self):
 return '%s(%s)' % (self.__class__.__name__, self.full_rql)
 @property
 def minimal_rql(self):
 return 'Any %s WHERE %s' % (','.join(sorted(self.mainvars)),
 self.expression)
 # rql expressions for use in permission definition #############################
 class ERQLExpression(RQLExpression):
 predefined_variables = 'XU'
 return False
 kwargs['o'] = toeid
 return self._check(_cw, **kwargs)
-# in yams, default 'update' perm for attributes granted to managers and owners.
+# In yams, default 'update' perm for attributes granted to managers and owners.
 # Within cw, we want to default to users who may edit the entity holding the
 # attribute.
-ybo.DEFAULT_ATTRPERMS['update'] = (
+# These default permissions won't be checked by the security hooks:
-'managers', ERQLExpression('U has_update_permission X'))
+# since they delegate checking to the entity, we can skip actual checks.
+ybo.DEFAULT_ATTRPERMS['update'] = ('managers', ERQLExpression('U has_update_permission X'))
+ybo.DEFAULT_ATTRPERMS['add'] = ('managers', ERQLExpression('U has_add_permission X'))
+PUB_SYSTEM_ENTITY_PERMS = {
+'read':   ('managers', 'users', 'guests',),
+'add':    ('managers',),
+'delete': ('managers',),
+'update': ('managers',),
+}
+PUB_SYSTEM_REL_PERMS = {
+'read':   ('managers', 'users', 'guests',),
+'add':    ('managers',),
+'delete': ('managers',),
+}
+PUB_SYSTEM_ATTR_PERMS = {
+'read':   ('managers', 'users', 'guests',),
+'add': ('managers',),
+'update': ('managers',),
+}
+RO_REL_PERMS = {
+'read':   ('managers', 'users', 'guests',),
+'add':    (),
+'delete': (),
+}
+RO_ATTR_PERMS = {
+'read':   ('managers', 'users', 'guests',),
+'add': ybo.DEFAULT_ATTRPERMS['add'],
+'update': (),
+}
+# XXX same algorithm as in reorder_cubes and probably other place,
+# may probably extract a generic function
+def order_eschemas(eschemas):
+"""return entity schemas ordered such that entity types which specializes an
+other one appears after that one
+"""
+graph = {}
+for eschema in eschemas:
+if eschema.specializes():
+graph[eschema] = set((eschema.specializes(),))
+else:
+graph[eschema] = set()
+cycles = get_cycles(graph)
+if cycles:
+cycles = '\n'.join(' -> '.join(cycle) for cycle in cycles)
+raise Exception('cycles in entity schema specialization: %s'
+% cycles)
+eschemas = []
+while graph:
+# sorted to get predictable results
+for eschema, deps in sorted(graph.items()):
+if not deps:
+eschemas.append(eschema)
+del graph[eschema]
+for deps in graph.itervalues():
+try:
+deps.remove(eschema)
+except KeyError:
+continue
+return eschemas
+def bw_normalize_etype(etype):
+if etype in ETYPE_NAME_MAP:
+msg = '%s has been renamed to %s, please update your code' % (
+etype, ETYPE_NAME_MAP[etype])
+warn(msg, DeprecationWarning, stacklevel=4)
+etype = ETYPE_NAME_MAP[etype]
+return etype
+def display_name(req, key, form='', context=None):
+"""return a internationalized string for the key (schema entity or relation
+name) in a given form
+"""
+assert form in ('', 'plural', 'subject', 'object')
+if form == 'subject':
+form = ''
+if form:
+key = key + '_' + form
+# ensure unicode
+if context is not None:
+return unicode(req.pgettext(context, key))
+else:
+return unicode(req._(key))
+# Schema objects definition ###################################################
+def ERSchema_display_name(self, req, form='', context=None):
+"""return a internationalized string for the entity/relation type name in
+a given form
+"""
+return display_name(req, self.type, form, context)
+ERSchema.display_name = ERSchema_display_name
+@cached
+def get_groups(self, action):
+"""return the groups authorized to perform <action> on entities of
+this type
+:type action: str
+:param action: the name of a permission
+:rtype: tuple
+:return: names of the groups with the given permission
+"""
+assert action in self.ACTIONS, action
+#assert action in self._groups, '%s %s' % (self, action)
+try:
+return frozenset(g for g in self.permissions[action] if isinstance(g, basestring))
+except KeyError:
+return ()
+PermissionMixIn.get_groups = get_groups
+@cached
+def get_rqlexprs(self, action):
+"""return the rql expressions representing queries to check the user is allowed
+to perform <action> on entities of this type
+:type action: str
+:param action: the name of a permission
+:rtype: tuple
+:return: the rql expressions with the given permission
+"""
+assert action in self.ACTIONS, action
+#assert action in self._rqlexprs, '%s %s' % (self, action)
+try:
+return tuple(g for g in self.permissions[action] if not isinstance(g, basestring))
+except KeyError:
+return ()
+PermissionMixIn.get_rqlexprs = get_rqlexprs
+orig_set_action_permissions = PermissionMixIn.set_action_permissions
+def set_action_permissions(self, action, permissions):
+"""set the groups and rql expressions allowing to perform <action> on
+entities of this type
+:type action: str
+:param action: the name of a permission
+:type permissions: tuple
+:param permissions: the groups and rql expressions allowing the given action
+"""
+orig_set_action_permissions(self, action, tuple(permissions))
+clear_cache(self, 'get_rqlexprs')
+clear_cache(self, 'get_groups')
+PermissionMixIn.set_action_permissions = set_action_permissions
+def has_local_role(self, action):
+"""return true if the action *may* be granted localy (eg either rql
+expressions or the owners group are used in security definition)
+XXX this method is only there since we don't know well how to deal with
+'add' action checking. Also find a better name would be nice.
+"""
+assert action in self.ACTIONS, action
+if self.get_rqlexprs(action):
+return True
+if action in ('update', 'delete'):
+return 'owners' in self.get_groups(action)
+return False
+PermissionMixIn.has_local_role = has_local_role
+def may_have_permission(self, action, req):
+if action != 'read' and not (self.has_local_role('read') or
+self.has_perm(req, 'read')):
+return False
+return self.has_local_role(action) or self.has_perm(req, action)
+PermissionMixIn.may_have_permission = may_have_permission
+def has_perm(self, _cw, action, **kwargs):
+"""return true if the action is granted globaly or localy"""
+try:
+self.check_perm(_cw, action, **kwargs)
+return True
+except Unauthorized:
+return False
+PermissionMixIn.has_perm = has_perm
+def check_perm(self, _cw, action, **kwargs):
+# NB: _cw may be a server transaction or a request object.
+#
+# check user is in an allowed group, if so that's enough internal
+# transactions should always stop there
+DBG = False
+if server.DEBUG & server.DBG_SEC:
+if action in server._SECURITY_CAPS:
+_self_str = str(self)
+if server._SECURITY_ITEMS:
+if any(item in _self_str for item in server._SECURITY_ITEMS):
+DBG = True
+else:
+DBG = True
+groups = self.get_groups(action)
+if _cw.user.matching_groups(groups):
+if DBG:
+print 'check_perm: %r %r: user matches %s' % (action, _self_str, groups)
+return
+# if 'owners' in allowed groups, check if the user actually owns this
+# object, if so that's enough
+#
+# NB: give _cw to user.owns since user is not be bound to a transaction on
+# the repository side
+if 'owners' in groups and (
+kwargs.get('creating')
+or ('eid' in kwargs and _cw.user.owns(kwargs['eid']))):
+if DBG:
+print ('check_perm: %r %r: user is owner or creation time' %
+(action, _self_str))
+return
+# else if there is some rql expressions, check them
+if DBG:
+print ('check_perm: %r %r %s' %
+(action, _self_str, [(rqlexpr, kwargs, rqlexpr.check(_cw, **kwargs))
+for rqlexpr in self.get_rqlexprs(action)]))
+if any(rqlexpr.check(_cw, **kwargs)
+for rqlexpr in self.get_rqlexprs(action)):
+return
+raise Unauthorized(action, str(self))
+PermissionMixIn.check_perm = check_perm
+RelationDefinitionSchema._RPROPERTIES['eid'] = None
+# remember rproperties defined at this point. Others will have to be serialized in
+# CWAttribute.extra_props
+KNOWN_RPROPERTIES = RelationDefinitionSchema.ALL_PROPERTIES()
+def rql_expression(self, expression, mainvars=None, eid=None):
+"""rql expression factory"""
+if self.rtype.final:
+return ERQLExpression(expression, mainvars, eid)
+return RRQLExpression(expression, mainvars, eid)
+RelationDefinitionSchema.rql_expression = rql_expression
+orig_check_permission_definitions = RelationDefinitionSchema.check_permission_definitions
+def check_permission_definitions(self):
+orig_check_permission_definitions(self)
+schema = self.subject.schema
+for action, groups in self.permissions.iteritems():
+for group_or_rqlexpr in groups:
+if action == 'read' and \
+isinstance(group_or_rqlexpr, RQLExpression):
+msg = "can't use rql expression for read permission of %s"
+raise BadSchemaDefinition(msg % self)
+if self.final and isinstance(group_or_rqlexpr, RRQLExpression):
+msg = "can't use RRQLExpression on %s, use an ERQLExpression"
+raise BadSchemaDefinition(msg % self)
+if not self.final and isinstance(group_or_rqlexpr, ERQLExpression):
+msg = "can't use ERQLExpression on %s, use a RRQLExpression"
+raise BadSchemaDefinition(msg % self)
+RelationDefinitionSchema.check_permission_definitions = check_permission_definitions
+class CubicWebEntitySchema(EntitySchema):
+"""a entity has a type, a set of subject and or object relations
+the entity schema defines the possible relations for a given type and some
+constraints on those relations
+"""
+def __init__(self, schema=None, edef=None, eid=None, **kwargs):
+super(CubicWebEntitySchema, self).__init__(schema, edef, **kwargs)
+if eid is None and edef is not None:
+eid = getattr(edef, 'eid', None)
+self.eid = eid
+def check_permission_definitions(self):
+super(CubicWebEntitySchema, self).check_permission_definitions()
+for groups in self.permissions.itervalues():
+for group_or_rqlexpr in groups:
+if isinstance(group_or_rqlexpr, RRQLExpression):
+msg = "can't use RRQLExpression on %s, use an ERQLExpression"
+raise BadSchemaDefinition(msg % self.type)
+def is_subobject(self, strict=False, skiprels=None):
+if skiprels is None:
+skiprels = SKIP_COMPOSITE_RELS
+else:
+skiprels += SKIP_COMPOSITE_RELS
+return super(CubicWebEntitySchema, self).is_subobject(strict,
+skiprels=skiprels)
+def attribute_definitions(self):
+"""return an iterator on attribute definitions
+attribute relations are a subset of subject relations where the
+object's type is a final entity
+an attribute definition is a 2-uple :
+* name of the relation
+* schema of the destination entity type
+"""
+iter = super(CubicWebEntitySchema, self).attribute_definitions()
+for rschema, attrschema in iter:
+if rschema.type == 'has_text':
+continue
+yield rschema, attrschema
+def main_attribute(self):
+"""convenience method that returns the *main* (i.e. the first non meta)
+attribute defined in the entity schema
+"""
+for rschema, _ in self.attribute_definitions():
+if not (rschema in META_RTYPES
+or self.is_metadata(rschema)):
+return rschema
+def add_subject_relation(self, rschema):
+"""register the relation schema as possible subject relation"""
+super(CubicWebEntitySchema, self).add_subject_relation(rschema)
+if rschema.final:
+if self.rdef(rschema).get('fulltextindexed'):
+self._update_has_text()
+elif rschema.fulltext_container:
+self._update_has_text()
+def add_object_relation(self, rschema):
+"""register the relation schema as possible object relation"""
+super(CubicWebEntitySchema, self).add_object_relation(rschema)
+if rschema.fulltext_container:
+self._update_has_text()
+def del_subject_relation(self, rtype):
+super(CubicWebEntitySchema, self).del_subject_relation(rtype)
+if 'has_text' in self.subjrels:
+self._update_has_text(deletion=True)
+def del_object_relation(self, rtype):
+super(CubicWebEntitySchema, self).del_object_relation(rtype)
+if 'has_text' in self.subjrels:
+self._update_has_text(deletion=True)
+def _update_has_text(self, deletion=False):
+may_need_has_text, has_has_text = False, False
+need_has_text = None
+for rschema in self.subject_relations():
+if rschema.final:
+if rschema == 'has_text':
+has_has_text = True
+elif self.rdef(rschema).get('fulltextindexed'):
+may_need_has_text = True
+elif rschema.fulltext_container:
+if rschema.fulltext_container == 'subject':
+may_need_has_text = True
+else:
+need_has_text = False
+for rschema in self.object_relations():
+if rschema.fulltext_container:
+if rschema.fulltext_container == 'object':
+may_need_has_text = True
+else:
+need_has_text = False
+if need_has_text is None:
+need_has_text = may_need_has_text
+if need_has_text and not has_has_text and not deletion:
+rdef = ybo.RelationDefinition(self.type, 'has_text', 'String',
+__permissions__=RO_ATTR_PERMS)
+self.schema.add_relation_def(rdef)
+elif not need_has_text and has_has_text:
+# use rschema.del_relation_def and not schema.del_relation_def to
+# avoid deleting the relation type accidentally...
+self.schema['has_text'].del_relation_def(self, self.schema['String'])
+def schema_entity(self): # XXX @property for consistency with meta
+"""return True if this entity type is used to build the schema"""
+return self.type in SCHEMA_TYPES
+def rql_expression(self, expression, mainvars=None, eid=None):
+"""rql expression factory"""
+return ERQLExpression(expression, mainvars, eid)
+class CubicWebRelationSchema(RelationSchema):
+def __init__(self, schema=None, rdef=None, eid=None, **kwargs):
+if rdef is not None:
+# if this relation is inlined
+self.inlined = rdef.inlined
+super(CubicWebRelationSchema, self).__init__(schema, rdef, **kwargs)
+if eid is None and rdef is not None:
+eid = getattr(rdef, 'eid', None)
+self.eid = eid
+@property
+def meta(self):
+return self.type in META_RTYPES
+def schema_relation(self): # XXX @property for consistency with meta
+"""return True if this relation type is used to build the schema"""
+return self.type in SCHEMA_TYPES
+def may_have_permission(self, action, req, eschema=None, role=None):
+if eschema is not None:
+for tschema in self.targets(eschema, role):
+rdef = self.role_rdef(eschema, tschema, role)
+if rdef.may_have_permission(action, req):
+return True
+else:
+for rdef in self.rdefs.itervalues():
+if rdef.may_have_permission(action, req):
+return True
+return False
+def has_perm(self, _cw, action, **kwargs):
+"""return true if the action is granted globaly or localy"""
+if self.final:
+assert not ('fromeid' in kwargs or 'toeid' in kwargs), kwargs
+assert action in ('read', 'update')
+if 'eid' in kwargs:
+subjtype = _cw.describe(kwargs['eid'])[0]
+else:
+subjtype = objtype = None
+else:
+assert not 'eid' in kwargs, kwargs
+assert action in ('read', 'add', 'delete')
+if 'fromeid' in kwargs:
+subjtype = _cw.describe(kwargs['fromeid'])[0]
+elif 'frometype' in kwargs:
+subjtype = kwargs.pop('frometype')
+else:
+subjtype = None
+if 'toeid' in kwargs:
+objtype = _cw.describe(kwargs['toeid'])[0]
+elif 'toetype' in kwargs:
+objtype = kwargs.pop('toetype')
+else:
+objtype = None
+if objtype and subjtype:
+return self.rdef(subjtype, objtype).has_perm(_cw, action, **kwargs)
+elif subjtype:
+for tschema in self.targets(subjtype, 'subject'):
+rdef = self.rdef(subjtype, tschema)
+if not rdef.has_perm(_cw, action, **kwargs):
+return False
+elif objtype:
+for tschema in self.targets(objtype, 'object'):
+rdef = self.rdef(tschema, objtype)
+if not rdef.has_perm(_cw, action, **kwargs):
+return False
+else:
+for rdef in self.rdefs.itervalues():
+if not rdef.has_perm(_cw, action, **kwargs):
+return False
+return True
+@deprecated('use .rdef(subjtype, objtype).role_cardinality(role)')
+def cardinality(self, subjtype, objtype, target):
+return self.rdef(subjtype, objtype).role_cardinality(target)
+class CubicWebSchema(Schema):
+"""set of entities and relations schema defining the possible data sets
+used in an application
+:type name: str
+:ivar name: name of the schema, usually the instance identifier
+:type base: str
+:ivar base: path of the directory where the schema is defined
+"""
+reading_from_database = False
+entity_class = CubicWebEntitySchema
+relation_class = CubicWebRelationSchema
+no_specialization_inference = ('identity',)
+def __init__(self, *args, **kwargs):
+self._eid_index = {}
+super(CubicWebSchema, self).__init__(*args, **kwargs)
+ybo.register_base_types(self)
+rschema = self.add_relation_type(ybo.RelationType('eid'))
+rschema.final = True
+rschema = self.add_relation_type(ybo.RelationType('has_text'))
+rschema.final = True
+rschema = self.add_relation_type(ybo.RelationType('identity'))
+rschema.final = False
+etype_name_re = r'[A-Z][A-Za-z0-9]*[a-z]+[A-Za-z0-9]*$'
+def add_entity_type(self, edef):
+edef.name = edef.name.encode()
+edef.name = bw_normalize_etype(edef.name)
+if not re.match(self.etype_name_re, edef.name):
+raise BadSchemaDefinition(
+'%r is not a valid name for an entity type. It should start '
+'with an upper cased letter and be followed by at least a '
+'lower cased letter' % edef.name)
+eschema = super(CubicWebSchema, self).add_entity_type(edef)
+if not eschema.final:
+# automatically add the eid relation to non final entity types
+rdef = ybo.RelationDefinition(eschema.type, 'eid', 'Int',
+cardinality='11', uid=True,
+__permissions__=RO_ATTR_PERMS)
+self.add_relation_def(rdef)
+rdef = ybo.RelationDefinition(eschema.type, 'identity', eschema.type,
+__permissions__=RO_REL_PERMS)
+self.add_relation_def(rdef)
+self._eid_index[eschema.eid] = eschema
+return eschema
+def add_relation_type(self, rdef):
+if not rdef.name.islower():
+raise BadSchemaDefinition(
+'%r is not a valid name for a relation type. It should be '
+'lower cased' % rdef.name)
+rdef.name = rdef.name.encode()
+rschema = super(CubicWebSchema, self).add_relation_type(rdef)
+self._eid_index[rschema.eid] = rschema
+return rschema
+def add_relation_def(self, rdef):
+"""build a part of a relation schema
+(i.e. add a relation between two specific entity's types)
+:type subject: str
+:param subject: entity's type that is subject of the relation
+:type rtype: str
+:param rtype: the relation's type (i.e. the name of the relation)
+:type obj: str
+:param obj: entity's type that is object of the relation
+:rtype: RelationSchema
+:param: the newly created or just completed relation schema
+"""
+rdef.name = rdef.name.lower()
+rdef.subject = bw_normalize_etype(rdef.subject)
+rdef.object = bw_normalize_etype(rdef.object)
+rdefs = super(CubicWebSchema, self).add_relation_def(rdef)
+if rdefs:
+try:
+self._eid_index[rdef.eid] = rdefs
+except AttributeError:
+pass # not a serialized schema
+return rdefs
+def del_relation_type(self, rtype):
+rschema = self.rschema(rtype)
+self._eid_index.pop(rschema.eid, None)
+super(CubicWebSchema, self).del_relation_type(rtype)
+def del_relation_def(self, subjtype, rtype, objtype):
+for k, v in self._eid_index.items():
+if not isinstance(v, RelationDefinitionSchema):
+continue
+if v.subject == subjtype and v.rtype == rtype and v.object == objtype:
+del self._eid_index[k]
+break
+super(CubicWebSchema, self).del_relation_def(subjtype, rtype, objtype)
+def del_entity_type(self, etype):
+eschema = self.eschema(etype)
+self._eid_index.pop(eschema.eid, None)
+# deal with has_text first, else its automatic deletion (see above)
+# may trigger an error in ancestor's del_entity_type method
+if 'has_text' in eschema.subject_relations():
+self.del_relation_def(etype, 'has_text', 'String')
+super(CubicWebSchema, self).del_entity_type(etype)
+def schema_by_eid(self, eid):
+return self._eid_index[eid]
 # additional cw specific constraints ###########################################
 class BaseRQLConstraint(RRQLExpression, BaseConstraint):
 """base class for rql constraints"""
 distinct_query = None
 def serialize(self):
-# start with a comma for bw compat,see below
+# start with a semicolon for bw compat, see below
 return ';' + ','.join(sorted(self.mainvars)) + ';' + self.expression
 @classmethod
 def deserialize(cls, value):
-# XXX < 3.5.10 bw compat
-if not value.startswith(';'):
-return cls(value)
 _, mainvars, expression = value.split(';', 2)
 return cls(expression, mainvars)
 def check(self, entity, rtype, value):
 """return true if the value satisfy the constraint, else false"""
 # start with a semicolon for bw compat, see below
 return ';%s;%s\n%s' % (','.join(sorted(self.mainvars)), self.expression,
 self.msg or '')
 def deserialize(cls, value):
-# XXX < 3.5.10 bw compat
-if not value.startswith(';'):
-return cls(value)
 value, msg = value.split('\n', 1)
 _, mainvars, expression = value.split(';', 2)
 return cls(expression, mainvars, msg)
 deserialize = classmethod(deserialize)
 def _load_definition_files(self, cubes=None):
 # bootstraping, ignore cubes
 filepath = join(cubicweb.CW_SOFTWARE_ROOT, 'schemas', 'bootstrap.py')
 self.info('loading %s', filepath)
-self.handle_file(filepath)
+with tempattr(ybo, 'PACKAGE', 'cubicweb'): # though we don't care here
+self.handle_file(filepath)
 def unhandled_file(self, filepath):
 """called when a file without handler associated has been found"""
 self.warning('ignoring file %r', filepath)
 for filepath in (join(cubicweb.CW_SOFTWARE_ROOT, 'schemas', 'bootstrap.py'),
 join(cubicweb.CW_SOFTWARE_ROOT, 'schemas', 'base.py'),
 join(cubicweb.CW_SOFTWARE_ROOT, 'schemas', 'workflow.py'),
 join(cubicweb.CW_SOFTWARE_ROOT, 'schemas', 'Bookmark.py')):
 self.info('loading %s', filepath)
-self.handle_file(filepath)
+with tempattr(ybo, 'PACKAGE', 'cubicweb'):
+self.handle_file(filepath)
 for cube in cubes:
 for filepath in self.get_schema_files(cube):
-self.info('loading %s', filepath)
+with tempattr(ybo, 'PACKAGE', basename(cube)):
 self.handle_file(filepath)
 # these are overridden by set_log_methods below
 # only defining here to prevent pylint from complaining
 info = warning = error = critical = exception = debug = lambda msg,*a,**kw: None

branch	stable
changeset 9542	79b9bf88be28
parent 9395	96dba2efd16d
child 9469	032825bbacab
child 9600	bde625698f44