13 # FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more |
13 # FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more |
14 # details. |
14 # details. |
15 # |
15 # |
16 # You should have received a copy of the GNU Lesser General Public License along |
16 # You should have received a copy of the GNU Lesser General Public License along |
17 # with CubicWeb. If not, see <http://www.gnu.org/licenses/>. |
17 # with CubicWeb. If not, see <http://www.gnu.org/licenses/>. |
18 """some utilities to define schema permissions |
18 """some constants and classes to define schema permissions""" |
19 |
19 |
20 """ |
|
21 __docformat__ = "restructuredtext en" |
20 __docformat__ = "restructuredtext en" |
22 |
21 |
23 from rql.utils import quote |
|
24 from cubicweb.schema import RO_REL_PERMS, RO_ATTR_PERMS, \ |
22 from cubicweb.schema import RO_REL_PERMS, RO_ATTR_PERMS, \ |
25 PUB_SYSTEM_ENTITY_PERMS, PUB_SYSTEM_REL_PERMS, \ |
23 PUB_SYSTEM_ENTITY_PERMS, PUB_SYSTEM_REL_PERMS, \ |
26 ERQLExpression, RRQLExpression |
24 ERQLExpression, RRQLExpression |
27 |
25 |
28 # permissions for "meta" entity type (readable by anyone, can only be |
26 # permissions for "meta" entity type (readable by anyone, can only be |
33 META_RTYPE_PERMS = PUB_SYSTEM_REL_PERMS # XXX deprecates |
31 META_RTYPE_PERMS = PUB_SYSTEM_REL_PERMS # XXX deprecates |
34 # permissions for relation type that should only set by hooks using unsafe |
32 # permissions for relation type that should only set by hooks using unsafe |
35 # execute, readable by anyone |
33 # execute, readable by anyone |
36 HOOKS_RTYPE_PERMS = RO_REL_PERMS # XXX deprecates |
34 HOOKS_RTYPE_PERMS = RO_REL_PERMS # XXX deprecates |
37 |
35 |
38 def _perm(names): |
|
39 if isinstance(names, (list, tuple)): |
|
40 if len(names) == 1: |
|
41 names = quote(names[0]) |
|
42 else: |
|
43 names = 'IN (%s)' % (','.join(quote(name) for name in names)) |
|
44 else: |
|
45 names = quote(names) |
|
46 #return u' require_permission P, P name %s, U in_group G, P require_group G' % names |
|
47 return u' require_permission P, P name %s, U has_group_permission P' % names |
|
48 |
36 |
|
37 from logilab.common.modutils import LazyObject |
|
38 from logilab.common.deprecation import deprecated |
|
39 class MyLazyObject(LazyObject): |
49 |
40 |
50 def xperm(*names): |
41 def _getobj(self): |
51 return 'X' + _perm(names) |
42 try: |
|
43 return super(MyLazyObject, self)._getobj() |
|
44 except ImportError: |
|
45 raise ImportError('In cubicweb 3.14, function %s has been moved to ' |
|
46 'cube localperms. Install it first.' % self.obj) |
52 |
47 |
53 def xexpr(*names): |
48 for name in ('xperm', 'xexpr', 'xrexpr', 'xorexpr', 'sexpr', 'restricted_sexpr', |
54 return ERQLExpression(xperm(*names)) |
49 'restricted_oexpr', 'oexpr', 'relxperm', 'relxexpr', '_perm'): |
55 |
50 msg = '[3.14] import %s from cubes.localperms' % name |
56 def xrexpr(relation, *names): |
51 globals()[name] = deprecated(msg)(MyLazyObject('cubes.localperms', name)) |
57 return ERQLExpression('X %s Y, Y %s' % (relation, _perm(names))) |
|
58 |
|
59 def xorexpr(relation, etype, *names): |
|
60 return ERQLExpression('Y %s X, X is %s, Y %s' % (relation, etype, _perm(names))) |
|
61 |
|
62 |
|
63 def sexpr(*names): |
|
64 return RRQLExpression('S' + _perm(names), 'S') |
|
65 |
|
66 def restricted_sexpr(restriction, *names): |
|
67 rql = '%s, %s' % (restriction, 'S' + _perm(names)) |
|
68 return RRQLExpression(rql, 'S') |
|
69 |
|
70 def restricted_oexpr(restriction, *names): |
|
71 rql = '%s, %s' % (restriction, 'O' + _perm(names)) |
|
72 return RRQLExpression(rql, 'O') |
|
73 |
|
74 def oexpr(*names): |
|
75 return RRQLExpression('O' + _perm(names), 'O') |
|
76 |
|
77 |
|
78 # def supdate_perm(): |
|
79 # return RRQLExpression('U has_update_permission S', 'S') |
|
80 |
|
81 # def oupdate_perm(): |
|
82 # return RRQLExpression('U has_update_permission O', 'O') |
|
83 |
|
84 def relxperm(rel, role, *names): |
|
85 assert role in ('subject', 'object') |
|
86 if role == 'subject': |
|
87 zxrel = ', X %s Z' % rel |
|
88 else: |
|
89 zxrel = ', Z %s X' % rel |
|
90 return 'Z' + _perm(names) + zxrel |
|
91 |
|
92 def relxexpr(rel, role, *names): |
|
93 return ERQLExpression(relxperm(rel, role, *names)) |
|