cubicweb: comparison hooks/security.py

equal deleted inserted replaced

-:4b89ca0b11ad
+:96dba2efd16d
-# copyright 2003-2012 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
+# copyright 2003-2013 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
 # contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
 #
 # This file is part of CubicWeb.
 #
 # CubicWeb is free software: you can redistribute it and/or modify it under the
 """Security hooks: check permissions to add/delete/update entities according to
 the user connected to a session
 """
 __docformat__ = "restructuredtext en"
+from warnings import warn
 from logilab.common.registry import objectify_predicate
 from yams import buildobjs
 from cubicweb import Unauthorized
 from cubicweb.server import BEFORE_ADD_RELATIONS, ON_COMMIT_ADD_RELATIONS, hook
-_DEFAULT_UPDATE_ATTRPERM = buildobjs.DEFAULT_ATTRPERMS['update']
-def check_entity_attributes(session, entity, editedattrs=None, creation=False):
+def check_entity_attributes(session, entity, action, editedattrs=None):
 eid = entity.eid
 eschema = entity.e_schema
 # ._cw_skip_security_attributes is there to bypass security for attributes
 # set by hooks by modifying the entity's dictionary
 if editedattrs is None:
 for attr in editedattrs:
 if attr in dontcheck:
 continue
 rdef = eschema.rdef(attr)
 if rdef.final: # non final relation are checked by standard hooks
-# attributes only have a specific 'update' permission
+perms = rdef.permissions.get(action)
-updateperm = rdef.permissions.get('update')
 # comparison below works because the default update perm is:
 #
-#  ('managers', ERQLExpression(Any X WHERE U has_update_permission X, X eid %(x)s, U eid %(u)s))
+#  ('managers', ERQLExpression(Any X WHERE U has_update_permission X,
+#                              X eid %(x)s, U eid %(u)s))
 #
 # is deserialized in this order (groups first), and ERQLExpression
-# implements comparison by expression.
+# implements comparison by rql expression.
-if updateperm == _DEFAULT_UPDATE_ATTRPERM:
+if perms == buildobjs.DEFAULT_ATTRPERMS[action]:
-# The default update permission is to delegate to the entity
+# The default rule is to delegate to the entity
-# update permission. This is an historical artefact but it is
+# rule. This is an historical artefact. Hence we take
-# costly (in general). Hence we take this permission object as a
+# this object as a marker saying "no specific"
-# marker saying "no specific" update permissions for this
+# permission rule for this attribute. Thus we just do
-# attribute. Thus we just do nothing.
+# nothing.
 continue
-if creation and updateperm == ():
+if perms == ():
-# That actually means an immutable attribute.  We make an
+# That means an immutable attribute.
-# _exception_ to the `check attr update perms at entity create &
+raise Unauthorized(action, str(rdef))
-# update time` rule for this case.
+rdef.check_perm(session, action, eid=eid)
-continue
-rdef.check_perm(session, 'update', eid=eid)
 class CheckEntityPermissionOp(hook.DataOperationMixIn, hook.LateOperation):
 def precommit_event(self):
 session = self.session
 for eid, action, edited in self.get_data():
 entity = session.entity_from_eid(eid)
 entity.cw_check_perm(action)
-check_entity_attributes(session, entity, edited,
+check_entity_attributes(session, entity, action, edited)
-creation=(action == 'add'))
 class CheckRelationPermissionOp(hook.DataOperationMixIn, hook.LateOperation):
 def precommit_event(self):
 session = self.session

changeset 9395	96dba2efd16d
parent 9254	e1369f2dba79
child 9412	8aa6c923d6c0
child 9469	032825bbacab