14 ERQLExpression, RRQLExpression) |
14 ERQLExpression, RRQLExpression) |
15 from cubicweb.schemas import META_ETYPE_PERMS, META_RTYPE_PERMS |
15 from cubicweb.schemas import META_ETYPE_PERMS, META_RTYPE_PERMS |
16 |
16 |
17 class CWUser(WorkflowableEntityType): |
17 class CWUser(WorkflowableEntityType): |
18 """define a CubicWeb user""" |
18 """define a CubicWeb user""" |
19 permissions = { |
19 __permissions__ = { |
20 'read': ('managers', 'users', ERQLExpression('X identity U')), |
20 'read': ('managers', 'users', ERQLExpression('X identity U')), |
21 'add': ('managers',), |
21 'add': ('managers',), |
22 'delete': ('managers',), |
22 'delete': ('managers',), |
23 'update': ('managers', ERQLExpression('X identity U, NOT U in_group G, G name "guests"'),), |
23 'update': ('managers', ERQLExpression('X identity U, NOT U in_group G, G name "guests"'),), |
24 } |
24 } |
35 description=_('email address to use for notification')) |
35 description=_('email address to use for notification')) |
36 use_email = SubjectRelation('EmailAddress', cardinality='*?', composite='subject') |
36 use_email = SubjectRelation('EmailAddress', cardinality='*?', composite='subject') |
37 |
37 |
38 in_group = SubjectRelation('CWGroup', cardinality='+*', |
38 in_group = SubjectRelation('CWGroup', cardinality='+*', |
39 constraints=[RQLConstraint('NOT O name "owners"')], |
39 constraints=[RQLConstraint('NOT O name "owners"')], |
40 description=_('groups grant permissions to the user')) |
40 description=_('groups grant __permissions__ to the user')) |
41 |
41 |
42 |
42 |
43 class EmailAddress(EntityType): |
43 class EmailAddress(EntityType): |
44 """an electronic mail address associated to a short alias""" |
44 """an electronic mail address associated to a short alias""" |
45 permissions = { |
45 __permissions__ = { |
46 'read': ('managers', 'users', 'guests',), # XXX if P use_email X, U has_read_permission P |
46 'read': ('managers', 'users', 'guests',), # XXX if P use_email X, U has_read_permission P |
47 'add': ('managers', 'users',), |
47 'add': ('managers', 'users',), |
48 'delete': ('managers', 'owners', ERQLExpression('P use_email X, U has_update_permission P')), |
48 'delete': ('managers', 'owners', ERQLExpression('P use_email X, U has_update_permission P')), |
49 'update': ('managers', 'owners', ERQLExpression('P use_email X, U has_update_permission P')), |
49 'update': ('managers', 'owners', ERQLExpression('P use_email X, U has_update_permission P')), |
50 } |
50 } |
57 (such as python-projects@logilab.org and python-projects@lists.logilab.org), set this \ |
57 (such as python-projects@logilab.org and python-projects@lists.logilab.org), set this \ |
58 to indicate which is the preferred form.')) |
58 to indicate which is the preferred form.')) |
59 |
59 |
60 class use_email(RelationType): |
60 class use_email(RelationType): |
61 """ """ |
61 """ """ |
62 permissions = { |
62 __permissions__ = { |
63 'read': ('managers', 'users', 'guests',), |
63 'read': ('managers', 'users', 'guests',), |
64 'add': ('managers', RRQLExpression('U has_update_permission S'),), |
64 'add': ('managers', RRQLExpression('U has_update_permission S'),), |
65 'delete': ('managers', RRQLExpression('U has_update_permission S'),), |
65 'delete': ('managers', RRQLExpression('U has_update_permission S'),), |
66 } |
66 } |
67 fulltext_container = 'subject' |
67 fulltext_container = 'subject' |
68 |
68 |
69 class primary_email(RelationType): |
69 class primary_email(RelationType): |
70 """the prefered email""" |
70 """the prefered email""" |
71 permissions = use_email.permissions |
71 __permissions__ = use_email.__permissions__ |
72 |
72 |
73 class prefered_form(RelationType): |
73 class prefered_form(RelationType): |
74 permissions = { |
74 __permissions__ = { |
75 'read': ('managers', 'users', 'guests',), |
75 'read': ('managers', 'users', 'guests',), |
76 # XXX should have update permissions on both subject and object, |
76 # XXX should have update __permissions__ on both subject and object, |
77 # though by doing this we will probably have no way to add |
77 # though by doing this we will probably have no way to add |
78 # this relation in the web ui. The easiest way to acheive this |
78 # this relation in the web ui. The easiest way to acheive this |
79 # is probably to be able to have "U has_update_permission O" as |
79 # is probably to be able to have "U has_update_permission O" as |
80 # RQLConstraint of the relation definition, though this is not yet |
80 # RQLConstraint of the relation definition, though this is not yet |
81 # possible |
81 # possible |
83 'delete': ('managers', RRQLExpression('U has_update_permission S'),), |
83 'delete': ('managers', RRQLExpression('U has_update_permission S'),), |
84 } |
84 } |
85 |
85 |
86 class in_group(RelationType): |
86 class in_group(RelationType): |
87 """core relation indicating a user's groups""" |
87 """core relation indicating a user's groups""" |
88 permissions = META_RTYPE_PERMS |
88 __permissions__ = META_RTYPE_PERMS |
89 |
89 |
90 class owned_by(RelationType): |
90 class owned_by(RelationType): |
91 """core relation indicating owners of an entity. This relation |
91 """core relation indicating owners of an entity. This relation |
92 implicitly put the owner into the owners group for the entity |
92 implicitly put the owner into the owners group for the entity |
93 """ |
93 """ |
94 permissions = { |
94 __permissions__ = { |
95 'read': ('managers', 'users', 'guests'), |
95 'read': ('managers', 'users', 'guests'), |
96 'add': ('managers', RRQLExpression('S owned_by U'),), |
96 'add': ('managers', RRQLExpression('S owned_by U'),), |
97 'delete': ('managers', RRQLExpression('S owned_by U'),), |
97 'delete': ('managers', RRQLExpression('S owned_by U'),), |
98 } |
98 } |
99 # 0..n cardinality for entities created by internal session (no attached user) |
99 # 0..n cardinality for entities created by internal session (no attached user) |
102 subject = '*' |
102 subject = '*' |
103 object = 'CWUser' |
103 object = 'CWUser' |
104 |
104 |
105 class created_by(RelationType): |
105 class created_by(RelationType): |
106 """core relation indicating the original creator of an entity""" |
106 """core relation indicating the original creator of an entity""" |
107 permissions = { |
107 __permissions__ = { |
108 'read': ('managers', 'users', 'guests'), |
108 'read': ('managers', 'users', 'guests'), |
109 'add': ('managers',), |
109 'add': ('managers',), |
110 'delete': ('managers',), |
110 'delete': ('managers',), |
111 } |
111 } |
112 # 0..1 cardinality for entities created by internal session (no attached user) |
112 # 0..1 cardinality for entities created by internal session (no attached user) |
137 |
137 |
138 class CWProperty(EntityType): |
138 class CWProperty(EntityType): |
139 """used for cubicweb configuration. Once a property has been created you |
139 """used for cubicweb configuration. Once a property has been created you |
140 can't change the key. |
140 can't change the key. |
141 """ |
141 """ |
142 permissions = { |
142 __permissions__ = { |
143 'read': ('managers', 'users', 'guests'), |
143 'read': ('managers', 'users', 'guests'), |
144 'add': ('managers', 'users',), |
144 'add': ('managers', 'users',), |
145 'update': ('managers', 'owners',), |
145 'update': ('managers', 'owners',), |
146 'delete': ('managers', 'owners',), |
146 'delete': ('managers', 'owners',), |
147 } |
147 } |
161 |
161 |
162 class for_user(RelationType): |
162 class for_user(RelationType): |
163 """link a property to the user which want this property customization. Unless |
163 """link a property to the user which want this property customization. Unless |
164 you're a site manager, this relation will be handled automatically. |
164 you're a site manager, this relation will be handled automatically. |
165 """ |
165 """ |
166 permissions = { |
166 __permissions__ = { |
167 'read': ('managers', 'users', 'guests'), |
167 'read': ('managers', 'users', 'guests'), |
168 'add': ('managers',), |
168 'add': ('managers',), |
169 'delete': ('managers',), |
169 'delete': ('managers',), |
170 } |
170 } |
171 inlined = True |
171 inlined = True |
172 |
172 |
173 |
173 |
174 class CWPermission(EntityType): |
174 class CWPermission(EntityType): |
175 """entity type that may be used to construct some advanced security configuration |
175 """entity type that may be used to construct some advanced security configuration |
176 """ |
176 """ |
177 permissions = META_ETYPE_PERMS |
177 __permissions__ = META_ETYPE_PERMS |
178 |
178 |
179 name = String(required=True, indexed=True, internationalizable=True, maxsize=100, |
179 name = String(required=True, indexed=True, internationalizable=True, maxsize=100, |
180 description=_('name or identifier of the permission')) |
180 description=_('name or identifier of the permission')) |
181 label = String(required=True, internationalizable=True, maxsize=100, |
181 label = String(required=True, internationalizable=True, maxsize=100, |
182 description=_('distinct label to distinguate between other permission entity of the same name')) |
182 description=_('distinct label to distinguate between other permission entity of the same name')) |
187 # configurable security |
187 # configurable security |
188 class require_permission(RelationType): |
188 class require_permission(RelationType): |
189 """link a permission to the entity. This permission should be used in the |
189 """link a permission to the entity. This permission should be used in the |
190 security definition of the entity's type to be useful. |
190 security definition of the entity's type to be useful. |
191 """ |
191 """ |
192 permissions = { |
192 __permissions__ = { |
193 'read': ('managers', 'users', 'guests'), |
193 'read': ('managers', 'users', 'guests'), |
194 'add': ('managers',), |
194 'add': ('managers',), |
195 'delete': ('managers',), |
195 'delete': ('managers',), |
196 } |
196 } |
197 |
197 |
198 class require_group(RelationType): |
198 class require_group(RelationType): |
199 """used to grant a permission to a group""" |
199 """used to grant a permission to a group""" |
200 permissions = { |
200 __permissions__ = { |
201 'read': ('managers', 'users', 'guests'), |
201 'read': ('managers', 'users', 'guests'), |
202 'add': ('managers',), |
202 'add': ('managers',), |
203 'delete': ('managers',), |
203 'delete': ('managers',), |
204 } |
204 } |
205 |
205 |
215 http://www.w3.org/TR/owl-ref/#sameAs-def |
215 http://www.w3.org/TR/owl-ref/#sameAs-def |
216 |
216 |
217 NOTE: You'll have to explicitly declare which entity types can have a |
217 NOTE: You'll have to explicitly declare which entity types can have a |
218 same_as relation |
218 same_as relation |
219 """ |
219 """ |
220 permissions = { |
220 __permissions__ = { |
221 'read': ('managers', 'users', 'guests',), |
221 'read': ('managers', 'users', 'guests',), |
222 'add': ('managers', 'users'), |
222 'add': ('managers', 'users'), |
223 'delete': ('managers', 'owners'), |
223 'delete': ('managers', 'owners'), |
224 } |
224 } |
225 cardinality = '*1' |
225 cardinality = '*1' |
235 The target application is responsible for updating timestamp |
235 The target application is responsible for updating timestamp |
236 when necessary to invalidate the cache (typically in hooks). |
236 when necessary to invalidate the cache (typically in hooks). |
237 |
237 |
238 Also, checkout the AppObject.get_cache() method. |
238 Also, checkout the AppObject.get_cache() method. |
239 """ |
239 """ |
240 permissions = { |
240 __permissions__ = { |
241 'read': ('managers', 'users', 'guests'), |
241 'read': ('managers', 'users', 'guests'), |
242 'add': ('managers',), |
242 'add': ('managers',), |
243 'update': ('managers', 'users',), # XXX |
243 'update': ('managers', 'users',), # XXX |
244 'delete': ('managers',), |
244 'delete': ('managers',), |
245 } |
245 } |
252 # "abtract" relation types, not used in cubicweb itself |
252 # "abtract" relation types, not used in cubicweb itself |
253 |
253 |
254 class identical_to(RelationType): |
254 class identical_to(RelationType): |
255 """identical to""" |
255 """identical to""" |
256 symetric = True |
256 symetric = True |
257 permissions = { |
257 __permissions__ = { |
258 'read': ('managers', 'users', 'guests',), |
258 'read': ('managers', 'users', 'guests',), |
259 # XXX should have update permissions on both subject and object, |
259 # XXX should have update __permissions__ on both subject and object, |
260 # though by doing this we will probably have no way to add |
260 # though by doing this we will probably have no way to add |
261 # this relation in the web ui. The easiest way to acheive this |
261 # this relation in the web ui. The easiest way to acheive this |
262 # is probably to be able to have "U has_update_permission O" as |
262 # is probably to be able to have "U has_update_permission O" as |
263 # RQLConstraint of the relation definition, though this is not yet |
263 # RQLConstraint of the relation definition, though this is not yet |
264 # possible |
264 # possible |
267 } |
267 } |
268 |
268 |
269 class see_also(RelationType): |
269 class see_also(RelationType): |
270 """generic relation to link one entity to another""" |
270 """generic relation to link one entity to another""" |
271 symetric = True |
271 symetric = True |
272 permissions = { |
272 __permissions__ = { |
273 'read': ('managers', 'users', 'guests',), |
273 'read': ('managers', 'users', 'guests',), |
274 'add': ('managers', RRQLExpression('U has_update_permission S'),), |
274 'add': ('managers', RRQLExpression('U has_update_permission S'),), |
275 'delete': ('managers', RRQLExpression('U has_update_permission S'),), |
275 'delete': ('managers', RRQLExpression('U has_update_permission S'),), |
276 } |
276 } |