408 The principles are the same but with the following restrictions: |
408 The principles are the same but with the following restrictions: |
409 |
409 |
410 * we can not use `RRQLExpression` on relation types for reading |
410 * we can not use `RRQLExpression` on relation types for reading |
411 |
411 |
412 * special relations "has_<ACTION>_permission" can not be used |
412 * special relations "has_<ACTION>_permission" can not be used |
|
413 |
|
414 |
|
415 Important notes about write permissions checking |
|
416 ```````````````````````````````````````````````` |
|
417 |
|
418 Write permissions (e.g. 'add', 'update', 'delete') are checked in core hooks. |
|
419 |
|
420 When a permission is checked slightly vary according to if it's an entity or |
|
421 relation, and if the relation is an attribute relation or not). It's important to |
|
422 understand that since according to when a permission is checked, values returned |
|
423 by rql expressions may changes, hence the permission being granted or not. |
|
424 |
|
425 Here are the current rules: |
|
426 |
|
427 1. permission to add/update entity and its attributes are checked: |
|
428 |
|
429 - on commit if the entity has been added |
|
430 |
|
431 - in an 'after_update_entity' hook if the entity has been updated. If it fails |
|
432 at this time, it will be retried on commit (hence you get the permission if |
|
433 you have it just after the modification or *at* commit time) |
|
434 |
|
435 2. permission to delete an entity is checked in 'before_delete_entity' hook |
|
436 |
|
437 3. permission to add a relation is checked either: |
|
438 |
|
439 - in 'before_add_relation' hook if the relation type is in the |
|
440 `BEFORE_ADD_RELATIONS` set |
|
441 |
|
442 - else at commit time if the relation type is in the `ON_COMMIT_ADD_RELATIONS` |
|
443 set |
|
444 |
|
445 - else in 'after_add_relation' hook (the default) |
|
446 |
|
447 4. permission to delete a relation is checked in 'before_delete_relation' hook |
|
448 |
|
449 Last but not least, remember queries issued from hooks and operation are by |
|
450 default 'unsafe', eg there are no read or write security checks. |
|
451 |
|
452 See :mod:`cubicweb.hooks.security` for more details. |
413 |
453 |
414 |
454 |
415 .. _yams_example: |
455 .. _yams_example: |
416 |
456 |
417 Defining your schema using yams |
457 Defining your schema using yams |