23 except AttributeError: |
23 except AttributeError: |
24 editedattrs = entity.keys() |
24 editedattrs = entity.keys() |
25 for attr in editedattrs: |
25 for attr in editedattrs: |
26 if attr in defaults: |
26 if attr in defaults: |
27 continue |
27 continue |
28 rschema = eschema.subjrels[attr] |
28 rdef = eschema.rdef(attr) |
29 if rschema.final: # non final relation are checked by other hooks |
29 if rdef.final: # non final relation are checked by other hooks |
30 # add/delete should be equivalent (XXX: unify them into 'update' ?) |
30 # add/delete should be equivalent (XXX: unify them into 'update' ?) |
31 rschema.check_perm(session, 'add', eid) |
31 rdef.check_perm(session, 'add', eid=eid) |
32 |
32 |
33 |
33 |
34 class CheckEntityPermissionOp(LateOperation): |
34 class CheckEntityPermissionOp(LateOperation): |
35 def precommit_event(self): |
35 def precommit_event(self): |
36 #print 'CheckEntityPermissionOp', self.session.user, self.entity, self.action |
36 #print 'CheckEntityPermissionOp', self.session.user, self.entity, self.action |
63 CheckEntityPermissionOp(session, entity=entity, action='update') |
66 CheckEntityPermissionOp(session, entity=entity, action='update') |
64 |
67 |
65 def before_del_entity(session, eid): |
68 def before_del_entity(session, eid): |
66 if not session.is_super_session: |
69 if not session.is_super_session: |
67 eschema = session.repo.schema[session.describe(eid)[0]] |
70 eschema = session.repo.schema[session.describe(eid)[0]] |
68 eschema.check_perm(session, 'delete', eid) |
71 eschema.check_perm(session, 'delete', eid=eid) |
69 |
72 |
70 |
73 |
71 def before_add_relation(session, fromeid, rtype, toeid): |
74 def before_add_relation(session, fromeid, rtype, toeid): |
72 if rtype in BEFORE_ADD_RELATIONS and not session.is_super_session: |
75 if rtype in BEFORE_ADD_RELATIONS and not session.is_super_session: |
73 nocheck = session.transaction_data.get('skip-security', ()) |
76 nocheck = session.transaction_data.get('skip-security', ()) |
74 if (fromeid, rtype, toeid) in nocheck: |
77 if (fromeid, rtype, toeid) in nocheck: |
75 return |
78 return |
76 rschema = session.repo.schema[rtype] |
79 rschema = session.repo.schema[rtype] |
77 rschema.check_perm(session, 'add', fromeid, toeid) |
80 rdef = rschema.rdef(session.describe(fromeid)[0], |
|
81 session.describe(toeid)[0]) |
|
82 rdef.check_perm(session, 'add', fromeid=fromeid, toeid=toeid) |
78 |
83 |
79 def after_add_relation(session, fromeid, rtype, toeid): |
84 def after_add_relation(session, fromeid, rtype, toeid): |
80 if not rtype in BEFORE_ADD_RELATIONS and not session.is_super_session: |
85 if not rtype in BEFORE_ADD_RELATIONS and not session.is_super_session: |
81 nocheck = session.transaction_data.get('skip-security', ()) |
86 nocheck = session.transaction_data.get('skip-security', ()) |
82 if (fromeid, rtype, toeid) in nocheck: |
87 if (fromeid, rtype, toeid) in nocheck: |
83 return |
88 return |
84 rschema = session.repo.schema[rtype] |
89 rschema = session.repo.schema.rschema(rtype) |
85 if rtype in ON_COMMIT_ADD_RELATIONS: |
90 if rtype in ON_COMMIT_ADD_RELATIONS: |
86 CheckRelationPermissionOp(session, action='add', rschema=rschema, |
91 CheckRelationPermissionOp(session, action='add', rschema=rschema, |
87 fromeid=fromeid, toeid=toeid) |
92 fromeid=fromeid, toeid=toeid) |
88 else: |
93 else: |
89 rschema.check_perm(session, 'add', fromeid, toeid) |
94 rdef = rschema.rdef(session.describe(fromeid)[0], |
|
95 session.describe(toeid)[0]) |
|
96 rdef.check_perm(session, 'add', fromeid=fromeid, toeid=toeid) |
90 |
97 |
91 def before_del_relation(session, fromeid, rtype, toeid): |
98 def before_del_relation(session, fromeid, rtype, toeid): |
92 if not session.is_super_session: |
99 if not session.is_super_session: |
93 nocheck = session.transaction_data.get('skip-security', ()) |
100 nocheck = session.transaction_data.get('skip-security', ()) |
94 if (fromeid, rtype, toeid) in nocheck: |
101 if (fromeid, rtype, toeid) in nocheck: |
95 return |
102 return |
96 session.repo.schema[rtype].check_perm(session, 'delete', fromeid, toeid) |
103 rschema = session.vreg.schema.rschema(rtype) |
|
104 rdef = rschema.rdef(session.describe(fromeid)[0], |
|
105 session.describe(toeid)[0]) |
|
106 rdef.check_perm(session, 'delete', fromeid=fromeid, toeid=toeid) |
97 |
107 |
98 def register_security_hooks(hm): |
108 def register_security_hooks(hm): |
99 """register meta-data related hooks on the hooks manager""" |
109 """register meta-data related hooks on the hooks manager""" |
100 hm.register_hook(after_add_entity, 'after_add_entity', '') |
110 hm.register_hook(after_add_entity, 'after_add_entity', '') |
101 hm.register_hook(after_update_entity, 'after_update_entity', '') |
111 hm.register_hook(after_update_entity, 'after_update_entity', '') |