144 that it does not express a "strong" constraint, which means it is only used to |
144 that it does not express a "strong" constraint, which means it is only used to |
145 restrict the values listed in the drop-down menu of editing form, but it does |
145 restrict the values listed in the drop-down menu of editing form, but it does |
146 not prevent another entity to be selected |
146 not prevent another entity to be selected |
147 |
147 |
148 |
148 |
149 Relation type definition |
149 Relation definition |
150 ------------------------ |
150 ------------------- |
|
151 |
|
152 XXX add note about defining relation type / definition |
151 |
153 |
152 A relation is defined by a Python class heriting `RelationType`. The name |
154 A relation is defined by a Python class heriting `RelationType`. The name |
153 of the class corresponds to the name of the type. The class then contains |
155 of the class corresponds to the name of the type. The class then contains |
154 a description of the properties of this type of relation, and could as well |
156 a description of the properties of this type of relation, and could as well |
155 contains a string for the subject and a string for the object. This allows to create |
157 contains a string for the subject and a string for the object. This allows to create |
181 |
183 |
182 When a relation is not inlined and not symetrical, and it does not require |
184 When a relation is not inlined and not symetrical, and it does not require |
183 specific permissions, its definition (by using `SubjectRelation` and |
185 specific permissions, its definition (by using `SubjectRelation` and |
184 `ObjectRelation`) is all we need. |
186 `ObjectRelation`) is all we need. |
185 |
187 |
|
188 |
|
189 The security model |
|
190 ------------------ |
|
191 |
|
192 Le modèle de sécurité de CubicWeb est un modèle fondé sur des `Access |
|
193 Control List`. Les notions sont les suivantes : |
|
194 |
|
195 * utilisateurs et groupes d'utilisateurs |
|
196 * un utilisateur appartient à au moins un groupe |
|
197 * droits (lire, modifier, créer, supprimer) |
|
198 * les droits sont attribués aux groupes (et non aux utilisateurs) |
|
199 |
|
200 Pour CubicWeb plus spécifiquement : |
|
201 |
|
202 * on associe les droits au niveau des schemas d'entites / relations |
|
203 |
|
204 * pour chaque type d'entité, on distingue les droits de lecture, |
|
205 ajout, modification et suppression |
|
206 |
|
207 * pour chaque type de relation, on distingue les droits de lecture, |
|
208 ajout et suppression (on ne peut pas modifer une relation) |
|
209 |
|
210 * les groupes de base sont : Administrateurs, Utilisateurs, Invités |
|
211 |
|
212 * les utilisateurs font par défaut parti du groupe Utilisateurs |
|
213 |
|
214 * on a un groupe virtuel "Utilisateurs Propriétaires", auquel on peut |
|
215 associer uniquement les droits de suppression et de modification |
|
216 |
|
217 * on ne peut pas mettre d'utilisateurs dans ce groupe, ils y sont |
|
218 ajoutés implicitement dans le contexte des objets dont ils sont |
|
219 propriétaires |
|
220 |
|
221 * les droits de ce groupe ne sont vérifiés que sur |
|
222 modification / suppression si tous les autres groupes auxquels |
|
223 l'utilisateur appartient se sont vu interdir l'accès |
|
224 |
|
225 |
186 Permissions definition |
226 Permissions definition |
187 ---------------------- |
227 `````````````````````` |
188 |
228 |
189 Define permissions is set through to the attribute `permissions` of entities and |
229 Define permissions is set through to the attribute `permissions` of entities and |
190 relations types. It defines a dictionnary where the keys are the access types |
230 relations types. It defines a dictionnary where the keys are the access types |
191 (action), and the values are the authorized groups or expressions. |
231 (action), and the values are the authorized groups or expressions. |
192 |
232 |
210 |
250 |
211 * `owners` : virtual group corresponding to the entity's owner. |
251 * `owners` : virtual group corresponding to the entity's owner. |
212 This can only be used for the actions `update` and `delete` of an entity |
252 This can only be used for the actions `update` and `delete` of an entity |
213 type. |
253 type. |
214 |
254 |
215 It is also possible to use specific groups if they are define in the precreate |
255 It is also possible to use specific groups if they are defined in the precreate |
216 of the application (``migration/precreate.py``). |
256 of the cube (``migration/precreate.py``). |
|
257 |
217 |
258 |
218 Use of RQL expression for writing rights |
259 Use of RQL expression for writing rights |
219 ```````````````````````````````````````` |
260 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
220 It is possible to define RQL expression to provide update permission |
261 It is possible to define RQL expression to provide update permission |
221 (`add`, `delete` and `update`) on relation and entity types. |
262 (`add`, `delete` and `update`) on relation and entity types. |
222 |
263 |
223 RQL expression for entity type permission : |
264 RQL expression for entity type permission : |
224 |
265 |
312 * because of the genricity of the entity type `EPermission`, we have to execute |
353 * because of the genricity of the entity type `EPermission`, we have to execute |
313 a unification with the groups and/or the states if necessary in the expression |
354 a unification with the groups and/or the states if necessary in the expression |
314 ("U in_group G, P require_group G" in the above example) |
355 ("U in_group G, P require_group G" in the above example) |
315 |
356 |
316 Use of RQL expression for reading rights |
357 Use of RQL expression for reading rights |
317 ```````````````````````````````````````` |
358 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
318 |
359 |
319 The principles are the same but with the following restrictions : |
360 The principles are the same but with the following restrictions : |
320 |
361 |
321 * we can not use `RRQLExpression` on relation types for reading |
362 * we can not use `RRQLExpression` on relation types for reading |
322 |
363 |
323 * special relations "has_<ACTION>_permission" can not be used |
364 * special relations "has_<ACTION>_permission" can not be used |
324 |
365 |
325 |
366 |
326 Note on the use of RQL expression for `add` permission |
367 Note on the use of RQL expression for `add` permission |
327 `````````````````````````````````````````````````````` |
368 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
328 Potentially, the use of an RQL expression to add an entity or a relation |
369 Potentially, the use of an RQL expression to add an entity or a relation |
329 can cause problems for the user interface, because if the expression uses |
370 can cause problems for the user interface, because if the expression uses |
330 the entity or the relation to create, then we are not able to verify the |
371 the entity or the relation to create, then we are not able to verify the |
331 permissions before we actually add the entity (please note that this is |
372 permissions before we actually add the entity (please note that this is |
332 not a problem for the RQL server at all, because the permissions checks are |
373 not a problem for the RQL server at all, because the permissions checks are |