--- a/hooks/security.py Sun Mar 21 18:21:27 2010 +0100
+++ b/hooks/security.py Mon Mar 22 17:58:03 2010 +0100
@@ -16,17 +16,20 @@
def check_entity_attributes(session, entity, editedattrs=None):
eid = entity.eid
eschema = entity.e_schema
- # ._default_set is only there on entity creation to indicate unspecified
- # attributes which has been set to a default value defined in the schema
- defaults = getattr(entity, '_default_set', ())
+ # .skip_security_attributes is there to bypass security for attributes
+ # set by hooks by modifying the entity's dictionnary
+ dontcheck = entity.skip_security_attributes
if editedattrs is None:
try:
editedattrs = entity.edited_attributes
except AttributeError:
- editedattrs = entity
+ editedattrs = entity # XXX unexpected
for attr in editedattrs:
- if attr in defaults:
+ try:
+ dontcheck.remove(attr)
continue
+ except KeyError:
+ pass
rdef = eschema.rdef(attr)
if rdef.final: # non final relation are checked by other hooks
# add/delete should be equivalent (XXX: unify them into 'update' ?)