1 .. -*- coding: utf-8 -*- |
|
2 |
|
3 Entity type definition |
|
4 ---------------------- |
|
5 |
|
6 An entity type is defined by a Python class which inherits `EntityType`. The |
|
7 class name correponds to the type name. Then the content of the class contains |
|
8 the description of attributes and relations for the defined entity type, |
|
9 by example :: |
|
10 |
|
11 class Personne(EntityType): |
|
12 """A person with the properties and the relations necessarry for my |
|
13 application""" |
|
14 |
|
15 last_name = String(required=True, fulltextindexed=True) |
|
16 first_name = String(required=True, fulltextindexed=True) |
|
17 title = String(vocabulary=('M', 'Mme', 'Mlle')) |
|
18 date_of_birth = Date() |
|
19 works_for = SubjectRelation('Company', cardinality='?*') |
|
20 |
|
21 * the name of the Python attribute corresponds to the name of the attribute |
|
22 or the relation in `LAX` application. |
|
23 |
|
24 * all built-in types are available: `String`, `Int`, `Float`, |
|
25 `Boolean`, `Date`, `Datetime`, `Time`, `Byte`. |
|
26 |
|
27 * each entity has at least the following meta-relations: |
|
28 |
|
29 - `eid` (`Int`) |
|
30 |
|
31 - `creation_date` (`Datetime`) |
|
32 |
|
33 - `modification_date` (`Datetime`) |
|
34 |
|
35 - `created_by` (`EUser`) (which user created the entity) |
|
36 |
|
37 - `owned_by` (`EUser`) (who does the entity belongs to, by default the |
|
38 creator but not necessarry and it could have multiple owners) |
|
39 |
|
40 - `is` (`EEType`) |
|
41 |
|
42 |
|
43 * it is also possible to define relations of type object by using `ObjectRelation` |
|
44 instead of `SubjectRelation` |
|
45 |
|
46 * the first argument of `SubjectRelation` and `ObjectRelation` gives respectively |
|
47 the object/subject entity type of the relation. This could be: |
|
48 |
|
49 * a string corresponding to an entity type |
|
50 |
|
51 * a tuple of string correponding to multiple entities types |
|
52 |
|
53 * special string such as follows: |
|
54 |
|
55 - "**" : all types of entities |
|
56 - "*" : all types of entities non meta |
|
57 - "@" : all types of meta entities but not system entities (e.g. used for |
|
58 the basis schema description) |
|
59 |
|
60 * it is possible to use the attribute `meta` to flag an entity type as a `meta` |
|
61 (e.g. used to describe/categorize other entities) |
|
62 |
|
63 * optional properties for attributes and relations: |
|
64 |
|
65 - `description` : string describing an attribute or a relation. By default |
|
66 this string will be used in the editing form of the entity, which means |
|
67 that it is supposed to help the end-user and should be flagged by the |
|
68 function `_` to be properly internationalized. |
|
69 |
|
70 - `constraints` : list of conditions/constraints that the relation needs to |
|
71 satisfy (c.f. `Contraints`_) |
|
72 |
|
73 - `cardinality` : two characters string which specify the cardinality of the |
|
74 relation. The first character defines the cardinality of the relation on |
|
75 the subject, the second on the object of the relation. When a relation |
|
76 has multiple possible subjects or objects, the cardinality applies to all |
|
77 and not on a one to one basis (so it must be consistent...). The possible |
|
78 values are inspired from regular expressions syntax: |
|
79 |
|
80 * `1`: 1..1 |
|
81 * `?`: 0..1 |
|
82 * `+`: 1..n |
|
83 * `*`: 0..n |
|
84 |
|
85 - `meta` : boolean indicating that the relation is a meta-relation (false by |
|
86 default) |
|
87 |
|
88 * optionnal properties for attributes: |
|
89 |
|
90 - `required` : boolean indicating if the attribute is required (false by default) |
|
91 |
|
92 - `unique` : boolean indicating if the value of the attribute has to be unique |
|
93 or not within all entities of the same type (false by default) |
|
94 |
|
95 - `indexed` : boolean indicating if an index needs to be created for this |
|
96 attribute in the database (false by default). This is usefull only if |
|
97 you know that you will have to run numerous searches on the value of this |
|
98 attribute. |
|
99 |
|
100 - `default` : default value of the attribute. In case of date types, the values |
|
101 which could be used correpond to the RQL keywords `TODAY` and `NOW`. |
|
102 |
|
103 - `vocabulary` : specify static possible values of an attribute |
|
104 |
|
105 * optionnal properties of type `String`: |
|
106 |
|
107 - `fulltextindexed` : boolean indicating if the attribute is part of |
|
108 the full text index (false by default) (*applicable on the type `Byte` |
|
109 as well*) |
|
110 |
|
111 - `internationalizable` : boolean indicating if the value of the attribute |
|
112 is internationalizable (false by default) |
|
113 |
|
114 - `maxsize` : integer providing the maximum size of the string (no limit by default) |
|
115 |
|
116 * optionnal properties for relations: |
|
117 |
|
118 - `composite` : string indicating that the subject (composite == 'subject') |
|
119 is composed of the objects of the relations. For the opposite case (when |
|
120 the object is composed of the subjects of the relation), we just need |
|
121 to set 'object' as the value. The composition implies that when the relation |
|
122 is deleted (so when the composite is deleted), the composed are also deleted. |
|
123 [PAS CLAIR] |
|
124 |
|
125 Contraints |
|
126 `````````` |
|
127 By default, the available constraints types are: |
|
128 |
|
129 * `SizeConstraint` : allows to specify a minimum and/or maximum size on |
|
130 string (generic case of `maxsize`) |
|
131 |
|
132 * `BoundConstraint` : allows to specify a minimum and/or maximum value on |
|
133 numeric types |
|
134 |
|
135 * `UniqueConstraint` : identical to "unique=True" |
|
136 |
|
137 * `StaticVocabularyConstraint` : identical to "vocabulary=(...)" |
|
138 |
|
139 * `RQLConstraint` : allows to specify a RQL query that needs to be satisfied |
|
140 by the subject and/or the object of the relation. In this query the variables |
|
141 `S` and `O` are reserved for the entities subject and object of the |
|
142 relation. |
|
143 |
|
144 * `RQLVocabularyConstraint` : similar to the previous type of constraint except |
|
145 that it does not express a "strong" constraint, which means it is only used to |
|
146 restrict the values listed in the drop-down menu of editing form, but it does |
|
147 not prevent another entity to be selected |
|
148 [PAS CLAIR] |
|
149 |
|
150 |
|
151 Relation type definition |
|
152 ------------------------ |
|
153 |
|
154 A relation is defined by a Python class heriting `RelationType`. The name |
|
155 of the class corresponds to the name of the type. The class then contains |
|
156 a description of the properties of this type of relation, as well as a |
|
157 string for the subject and a string for the object. This allows to create |
|
158 new definition of associated relations, (so that the class can have the |
|
159 definition properties from the relation)[PAS CLAIR] by example :: |
|
160 |
|
161 class locked_by(RelationType): |
|
162 """relation on all entities indicating that they are locked""" |
|
163 inlined = True |
|
164 cardinality = '?*' |
|
165 subject = '*' |
|
166 object = 'EUser' |
|
167 |
|
168 In addition to the permissions, the own properties of the relation types |
|
169 (shared also by all definition of relation of this type) are: |
|
170 |
|
171 |
|
172 * `inlined` : boolean handling the physical optimization for archiving |
|
173 the relation in the subject entity table, instead of creating a specific |
|
174 table for the relation. This applies to the relation when the cardinality |
|
175 of subject->relation->object is 0..1 ('?') or 1..1 ('1') |
|
176 |
|
177 * `symetric` : boolean indication that the relation is symetrical, which |
|
178 means `X relation Y` implies `Y relation X` |
|
179 |
|
180 In the case of simultaneous relations definitions, `subject` and `object` |
|
181 can both be equal to the value of the first argument of `SubjectRelation` |
|
182 and `ObjectRelation`. |
|
183 |
|
184 When a relation is not inlined and not symetrical, and it does not require |
|
185 specific permissions, its definition (by using `SubjectRelation` and |
|
186 `ObjectRelation`) is all we need. |
|
187 |
|
188 Permissions definition |
|
189 ---------------------- |
|
190 |
|
191 Define permissions is set through to the attribute `permissions` of entities and |
|
192 relations types. It defines a dictionnary where the keys are the access types |
|
193 (action), and the values are the authorized groups or expressions. |
|
194 |
|
195 For an entity type, the possible actions are `read`, `add`, `update` and |
|
196 `delete`. |
|
197 |
|
198 For a relation type, the possible actions are `read`, `add`, and `delete`. |
|
199 |
|
200 For each access type, a tuple indicates the name of the authorized groups and/or |
|
201 one or multiple RQL expressions to satisfy to grant access. The access is |
|
202 provided once the user is in the listed groups or one of the RQL condition is |
|
203 satisfied. |
|
204 |
|
205 The standard groups are: |
|
206 |
|
207 * `guests` |
|
208 |
|
209 * `users` |
|
210 |
|
211 * `managers` |
|
212 |
|
213 * `owners` : virtual group corresponding to the entity's owner. |
|
214 This can only be used for the actions `update` and `delete` of an entity |
|
215 type. |
|
216 |
|
217 It is also possible to use specific groups if they are define in the precreate |
|
218 of the application (``migration/precreate.py``). |
|
219 |
|
220 Use of RQL expression for writing rights |
|
221 ```````````````````````````````````````` |
|
222 It is possible to define RQL expression to provide update permission |
|
223 (`add`, `delete` and `update`) on relation and entity types. |
|
224 |
|
225 RQL expression for entity type permission: |
|
226 |
|
227 * you have to use the class `ERQLExpression` |
|
228 |
|
229 * the used expression corresponds to the WHERE statement of an RQL query |
|
230 |
|
231 * in this expression, the variables X and U are pre-defined references |
|
232 respectively on the current entity (on which the action is verified) and |
|
233 on the user who send the request |
|
234 |
|
235 * it is possible to use, in this expression, a special relation |
|
236 "has_<ACTION>_permission" where the subject is the user and the |
|
237 object is a any variable, meaning that the user needs to have |
|
238 permission to execute the action <ACTION> on the entities related |
|
239 to this variable |
|
240 |
|
241 For RQL expressions on a relation type, the principles are the same except |
|
242 for the following: |
|
243 |
|
244 * you have to use the class `RQLExpression` in the case of a non-final relation |
|
245 [WHAT IS A NON FINALE RELATION] |
|
246 |
|
247 * in the expression, the variables S, O and U are pre-defined references |
|
248 to respectively the subject and the object of the current relation (on |
|
249 which the action is being verified) and the user who executed the query |
|
250 |
|
251 * we can also defined rights on attributes of an entity (non-final relation), |
|
252 knowing that: |
|
253 |
|
254 - to defines RQL expression, we have to use the class `ERQLExpression` |
|
255 in which X represents the entity the attribute belongs to |
|
256 |
|
257 - the permissions `add` and `delete` are equivalent. Only `add`/`read` |
|
258 are actually taken in consideration. |
|
259 |
|
260 |
|
261 |
|
262 In addition to thatm the entity type `EPermission` from the standard library |
|
263 allow to build very complex and dynamic security architecture. The schema of |
|
264 this entity type is as follow: :: |
|
265 |
|
266 class EPermission(MetaEntityType): |
|
267 """entity type that may be used to construct some advanced security configuration |
|
268 """ |
|
269 name = String(required=True, indexed=True, internationalizable=True, maxsize=100) |
|
270 require_group = SubjectRelation('EGroup', cardinality='+*', |
|
271 description=_('groups to which the permission is granted')) |
|
272 require_state = SubjectRelation('State', |
|
273 description=_("entity'state in which the permission is applyable")) |
|
274 # can be used on any entity |
|
275 require_permission = ObjectRelation('**', cardinality='*1', composite='subject', |
|
276 description=_("link a permission to the entity. This " |
|
277 "permission should be used in the security " |
|
278 "definition of the entity's type to be useful.")) |
|
279 |
|
280 |
|
281 Example of configuration :: |
|
282 |
|
283 ... |
|
284 |
|
285 class Version(EntityType): |
|
286 """a version is defining the content of a particular project's release""" |
|
287 |
|
288 permissions = {'read': ('managers', 'users', 'guests',), |
|
289 'update': ('managers', 'logilab', 'owners',), |
|
290 'delete': ('managers', ), |
|
291 'add': ('managers', 'logilab', |
|
292 ERQLExpression('X version_of PROJ, U in_group G,' |
|
293 'PROJ require_permission P, P name "add_version",' |
|
294 'P require_group G'),)} |
|
295 |
|
296 ... |
|
297 |
|
298 class version_of(RelationType): |
|
299 """link a version to its project. A version is necessarily linked to one and only one project. |
|
300 """ |
|
301 permissions = {'read': ('managers', 'users', 'guests',), |
|
302 'delete': ('managers', ), |
|
303 'add': ('managers', 'logilab', |
|
304 RRQLExpression('O require_permission P, P name "add_version",' |
|
305 'U in_group G, P require_group G'),) |
|
306 } |
|
307 inlined = True |
|
308 |
|
309 This configuration assumes/indicates [???] that an entity `EPermission` named |
|
310 "add_version" can be associated to a project and provides rights to create |
|
311 new versions on this project to specific groups. It is important to notice that: |
|
312 |
|
313 * in such case, we have to protect both the entity type "Version" and the relation |
|
314 associating a version to a project ("version_of") |
|
315 |
|
316 * because of the genricity of the entity type `EPermission`, we have to execute |
|
317 a unification with the groups and/or the states if necessary in the expression |
|
318 ("U in_group G, P require_group G" in the above example) |
|
319 |
|
320 |
|
321 Use of RQL expression for reading rights |
|
322 ```````````````````````````````````````` |
|
323 |
|
324 The principles are the same but with the following restrictions: |
|
325 |
|
326 * we can not [??] `RRQLExpression` on relation types for reading |
|
327 |
|
328 * special relations "has_<ACTION>_permission" can not be used |
|
329 |
|
330 |
|
331 Note on the use of RQL expression for `add` permission |
|
332 `````````````````````````````````````````````````````` |
|
333 Potentially, the use of an RQL expression to add an entity or a relation |
|
334 can cause problems for the user interface, because if the expression uses |
|
335 the entity or the relation to create, then we are not able to verify the |
|
336 permissions before we actually add the entity (please note that this is |
|
337 not a problem for the RQL server at all, because the permissions checks are |
|
338 done after the creation). In such case, the permission checks methods |
|
339 (check_perm, has_perm) can indicate that the user is not allowed to create |
|
340 this entity but can obtain the permission. |
|
341 To compensate this problem, it is usually necessary, for such case, |
|
342 to use an action that reflects the schema permissions but which enables |
|
343 to check properly the permissions so that it would show up if necessary. |
|
344 [PAS CLAIR] |
|