644 In an even more remote future, it is quite possible that the |
644 In an even more remote future, it is quite possible that the |
645 SubjectRelation shortcut will become deprecated, in favor of the |
645 SubjectRelation shortcut will become deprecated, in favor of the |
646 RelationType declaration which offers some advantages in the context |
646 RelationType declaration which offers some advantages in the context |
647 of reusable cubes. |
647 of reusable cubes. |
648 |
648 |
649 Definition of permissions |
649 |
650 ~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
651 The entity type `CWPermission` from the standard library |
|
652 allows to build very complex and dynamic security architectures. The schema of |
|
653 this entity type is as follow: |
|
654 |
|
655 .. sourcecode:: python |
|
656 |
|
657 class CWPermission(EntityType): |
|
658 """entity type that may be used to construct some advanced security configuration |
|
659 """ |
|
660 name = String(required=True, indexed=True, internationalizable=True, maxsize=100) |
|
661 require_group = SubjectRelation('CWGroup', cardinality='+*', |
|
662 description=_('groups to which the permission is granted')) |
|
663 require_state = SubjectRelation('State', |
|
664 description=_("entity's state in which the permission is applicable")) |
|
665 # can be used on any entity |
|
666 require_permission = ObjectRelation('**', cardinality='*1', composite='subject', |
|
667 description=_("link a permission to the entity. This " |
|
668 "permission should be used in the security " |
|
669 "definition of the entity's type to be useful.")) |
|
670 |
|
671 |
|
672 Example of configuration: |
|
673 |
|
674 .. sourcecode:: python |
|
675 |
|
676 class Version(EntityType): |
|
677 """a version is defining the content of a particular project's release""" |
|
678 |
|
679 __permissions__ = {'read': ('managers', 'users', 'guests',), |
|
680 'update': ('managers', 'logilab', 'owners',), |
|
681 'delete': ('managers', ), |
|
682 'add': ('managers', 'logilab', |
|
683 ERQLExpression('X version_of PROJ, U in_group G,' |
|
684 'PROJ require_permission P, P name "add_version",' |
|
685 'P require_group G'),)} |
|
686 |
|
687 |
|
688 class version_of(RelationType): |
|
689 """link a version to its project. A version is necessarily linked to one and only one project. |
|
690 """ |
|
691 __permissions__ = {'read': ('managers', 'users', 'guests',), |
|
692 'delete': ('managers', ), |
|
693 'add': ('managers', 'logilab', |
|
694 RRQLExpression('O require_permission P, P name "add_version",' |
|
695 'U in_group G, P require_group G'),) |
|
696 } |
|
697 inlined = True |
|
698 |
|
699 |
|
700 This configuration indicates that an entity `CWPermission` named |
|
701 "add_version" can be associated to a project and provides rights to create |
|
702 new versions on this project to specific groups. It is important to notice that: |
|
703 |
|
704 * in such case, we have to protect both the entity type "Version" and the relation |
|
705 associating a version to a project ("version_of") |
|
706 |
|
707 * because of the genericity of the entity type `CWPermission`, we have to execute |
|
708 a unification with the groups and/or the states if necessary in the expression |
|
709 ("U in_group G, P require_group G" in the above example) |
|
710 |
|
711 |
650 |
712 |
651 |
713 Handling schema changes |
652 Handling schema changes |
714 ~~~~~~~~~~~~~~~~~~~~~~~ |
653 ~~~~~~~~~~~~~~~~~~~~~~~ |
715 |
654 |