57 |
57 |
58 * `owners` : virtual group corresponding to the entity's owner. |
58 * `owners` : virtual group corresponding to the entity's owner. |
59 This can only be used for the actions `update` and `delete` of an entity |
59 This can only be used for the actions `update` and `delete` of an entity |
60 type. |
60 type. |
61 |
61 |
62 It is also possible to use specific groups if they are defined in the precreate |
62 It is also possible to use specific groups if they are defined in the precreate |
63 of the cube (``migration/precreate.py``). |
63 of the cube (``migration/precreate.py``). |
64 |
64 |
65 |
65 |
66 Use of RQL expression for writing rights |
66 Use of RQL expression for writing rights |
67 ```````````````````````````````````````` |
67 ```````````````````````````````````````` |
68 |
68 |
69 It is possible to define RQL expression to provide update permission |
69 It is possible to define RQL expression to provide update permission |
70 (`add`, `delete` and `update`) on relation and entity types. |
70 (`add`, `delete` and `update`) on relation and entity types. |
71 |
71 |
72 RQL expression for entity type permission : |
72 RQL expression for entity type permission : |
73 |
73 |
74 * you have to use the class `ERQLExpression` |
74 * you have to use the class `ERQLExpression` |
77 |
77 |
78 * in this expression, the variables X and U are pre-defined references |
78 * in this expression, the variables X and U are pre-defined references |
79 respectively on the current entity (on which the action is verified) and |
79 respectively on the current entity (on which the action is verified) and |
80 on the user who send the request |
80 on the user who send the request |
81 |
81 |
82 * it is possible to use, in this expression, a special relation |
82 * it is possible to use, in this expression, a special relation |
83 "has_<ACTION>_permission" where the subject is the user and the |
83 "has_<ACTION>_permission" where the subject is the user and the |
84 object is a any variable, meaning that the user needs to have |
84 object is a any variable, meaning that the user needs to have |
85 permission to execute the action <ACTION> on the entities related |
85 permission to execute the action <ACTION> on the entities related |
86 to this variable |
86 to this variable |
87 |
87 |
88 For RQL expressions on a relation type, the principles are the same except |
88 For RQL expressions on a relation type, the principles are the same except |
89 for the following : |
89 for the following : |
90 |
90 |
91 * you have to use the class `RQLExpression` in the case of a non-final relation |
91 * you have to use the class `RRQLExpression` in the case of a non-final relation |
92 |
92 |
93 * in the expression, the variables S, O and U are pre-defined references |
93 * in the expression, the variables S, O and U are pre-defined references |
94 to respectively the subject and the object of the current relation (on |
94 to respectively the subject and the object of the current relation (on |
95 which the action is being verified) and the user who executed the query |
95 which the action is being verified) and the user who executed the query |
96 |
96 |
97 * we can also defined rights on attributes of an entity (non-final relation), |
97 * we can also define rights on attributes of an entity (non-final |
98 knowing that : |
98 relation), knowing that : |
99 |
99 |
100 - to defines RQL expression, we have to use the class `ERQLExpression` |
100 - to define RQL expression, we have to use the class |
101 in which X represents the entity the attribute belongs to |
101 `ERQLExpression` in which X represents the entity the attribute |
|
102 belongs to |
102 |
103 |
103 - the permissions `add` and `delete` are equivalent. Only `add`/`read` |
104 - the permissions `add` and `delete` are equivalent. Only `add`/`read` |
104 are actually taken in consideration. |
105 are actually taken in consideration. |
105 |
106 |
106 In addition to that the entity type `EPermission` from the standard library |
107 In addition to that the entity type `EPermission` from the standard library |
107 allow to build very complex and dynamic security architecture. The schema of |
108 allows to build very complex and dynamic security architecture. The schema of |
108 this entity type is as follow : :: |
109 this entity type is as follow : :: |
109 |
110 |
110 class EPermission(MetaEntityType): |
111 class CWPermission(EntityType): |
111 """entity type that may be used to construct some advanced security configuration |
112 """entity type that may be used to construct some advanced security configuration |
112 """ |
113 """ |
113 name = String(required=True, indexed=True, internationalizable=True, maxsize=100) |
114 permissions = META_ETYPE_PERMS |
114 require_group = SubjectRelation('EGroup', cardinality='+*', |
115 |
115 description=_('groups to which the permission is granted')) |
116 name = String(required=True, indexed=True, internationalizable=True, maxsize=100, |
116 require_state = SubjectRelation('State', |
117 description=_('name or identifier of the permission')) |
117 description=_("entity'state in which the permission is applicable")) |
118 label = String(required=True, internationalizable=True, maxsize=100, |
118 # can be used on any entity |
119 description=_('distinct label to distinguate between other permission entity of the same name')) |
119 require_permission = ObjectRelation('**', cardinality='*1', composite='subject', |
120 require_group = SubjectRelation('CWGroup', |
120 description=_("link a permission to the entity. This " |
121 description=_('groups to which the permission is granted')) |
121 "permission should be used in the security " |
122 |
122 "definition of the entity's type to be useful.")) |
123 # explicitly add X require_permission CWPermission for each entity that should have |
|
124 # configurable security |
|
125 class require_permission(RelationType): |
|
126 """link a permission to the entity. This permission should be used in the |
|
127 security definition of the entity's type to be useful. |
|
128 """ |
|
129 permissions = { |
|
130 'read': ('managers', 'users', 'guests'), |
|
131 'add': ('managers',), |
|
132 'delete': ('managers',), |
|
133 } |
|
134 |
|
135 class require_group(RelationType): |
|
136 """used to grant a permission to a group""" |
|
137 permissions = { |
|
138 'read': ('managers', 'users', 'guests'), |
|
139 'add': ('managers',), |
|
140 'delete': ('managers',), |
|
141 } |
123 |
142 |
124 |
143 |
125 Example of configuration :: |
144 Example of configuration :: |
126 |
145 |
127 |
146 |
149 RRQLExpression('O require_permission P, P name "add_version",' |
168 RRQLExpression('O require_permission P, P name "add_version",' |
150 'U in_group G, P require_group G'),) |
169 'U in_group G, P require_group G'),) |
151 } |
170 } |
152 inlined = True |
171 inlined = True |
153 |
172 |
154 This configuration indicates that an entity `EPermission` named |
173 This configuration indicates that an entity `CWPermission` named |
155 "add_version" can be associated to a project and provides rights to create |
174 "add_version" can be associated to a project and provides rights to create |
156 new versions on this project to specific groups. It is important to notice that : |
175 new versions on this project to specific groups. It is important to notice that : |
157 |
176 |
158 * in such case, we have to protect both the entity type "Version" and the relation |
177 * in such case, we have to protect both the entity type "Version" and the relation |
159 associating a version to a project ("version_of") |
178 associating a version to a project ("version_of") |
160 |
179 |
161 * because of the genricity of the entity type `EPermission`, we have to execute |
180 * because of the genericity of the entity type `CWPermission`, we have to execute |
162 a unification with the groups and/or the states if necessary in the expression |
181 a unification with the groups and/or the states if necessary in the expression |
163 ("U in_group G, P require_group G" in the above example) |
182 ("U in_group G, P require_group G" in the above example) |
164 |
183 |
165 Use of RQL expression for reading rights |
184 Use of RQL expression for reading rights |
166 ```````````````````````````````````````` |
185 ```````````````````````````````````````` |
174 |
193 |
175 Note on the use of RQL expression for `add` permission |
194 Note on the use of RQL expression for `add` permission |
176 `````````````````````````````````````````````````````` |
195 `````````````````````````````````````````````````````` |
177 Potentially, the use of an RQL expression to add an entity or a relation |
196 Potentially, the use of an RQL expression to add an entity or a relation |
178 can cause problems for the user interface, because if the expression uses |
197 can cause problems for the user interface, because if the expression uses |
179 the entity or the relation to create, then we are not able to verify the |
198 the entity or the relation to create, then we are not able to verify the |
180 permissions before we actually add the entity (please note that this is |
199 permissions before we actually add the entity (please note that this is |
181 not a problem for the RQL server at all, because the permissions checks are |
200 not a problem for the RQL server at all, because the permissions checks are |
182 done after the creation). In such case, the permission check methods |
201 done after the creation). In such case, the permission check methods |
183 (check_perm, has_perm) can indicate that the user is not allowed to create |
202 (check_perm, has_perm) can indicate that the user is not allowed to create |
184 this entity but can obtain the permission. |
203 this entity but can obtain the permission. |
|
204 |
185 To compensate this problem, it is usually necessary, for such case, |
205 To compensate this problem, it is usually necessary, for such case, |
186 to use an action that reflects the schema permissions but which enables |
206 to use an action that reflects the schema permissions but which enables |
187 to check properly the permissions so that it would show up if necessary. |
207 to check properly the permissions so that it would show up if necessary. |
188 |
208 |