hooks/security.py
changeset 4970 1f3d8946ea84
parent 4835 13b0b96d7982
child 4999 221f76e14eea
--- a/hooks/security.py	Sun Mar 21 18:21:27 2010 +0100
+++ b/hooks/security.py	Mon Mar 22 17:58:03 2010 +0100
@@ -16,17 +16,20 @@
 def check_entity_attributes(session, entity, editedattrs=None):
     eid = entity.eid
     eschema = entity.e_schema
-    # ._default_set is only there on entity creation to indicate unspecified
-    # attributes which has been set to a default value defined in the schema
-    defaults = getattr(entity, '_default_set', ())
+    # .skip_security_attributes is there to bypass security for attributes
+    # set by hooks by modifying the entity's dictionnary
+    dontcheck = entity.skip_security_attributes
     if editedattrs is None:
         try:
             editedattrs = entity.edited_attributes
         except AttributeError:
-            editedattrs = entity
+            editedattrs = entity # XXX unexpected
     for attr in editedattrs:
-        if attr in defaults:
+        try:
+            dontcheck.remove(attr)
             continue
+        except KeyError:
+            pass
         rdef = eschema.rdef(attr)
         if rdef.final: # non final relation are checked by other hooks
             # add/delete should be equivalent (XXX: unify them into 'update' ?)