413 

   414 

   415 Important notes about write permissions checking

   416 ````````````````````````````````````````````````

   417 

   418 Write permissions (e.g. 'add', 'update', 'delete') are checked in core hooks.

   419 

   420 When a permission is checked slightly vary according to if it's an entity or

   421 relation, and if the relation is an attribute relation or not). It's important to

   422 understand that since according to when a permission is checked, values returned

   423 by rql expressions may changes, hence the permission being granted or not.

   424 

   425 Here are the current rules:

   426 

   427 1. permission to add/update entity and its attributes are checked:

   428 

   429    - on commit if the entity has been added

   430 

   431    - in an 'after_update_entity' hook if the entity has been updated. If it fails

   432      at this time, it will be retried on commit (hence you get the permission if

   433      you have it just after the modification or *at* commit time)

   434 

   435 2. permission to delete an entity is checked in 'before_delete_entity' hook

   436 

   437 3. permission to add a relation is checked either:

   438 

   439    - in 'before_add_relation' hook if the relation type is in the

   440      `BEFORE_ADD_RELATIONS` set

   441 

   442    - else at commit time if the relation type is in the `ON_COMMIT_ADD_RELATIONS`

   443      set

   444 

   445    - else in 'after_add_relation' hook (the default)

   446 

   447 4. permission to delete a relation is checked in 'before_delete_relation' hook

   448 

   449 Last but not least, remember queries issued from hooks and operation are by

   450 default 'unsafe', eg there are no read or write security checks.

   451 

   452 See :mod:`cubicweb.hooks.security` for more details.