--- a/hooks/security.py Tue Jul 29 14:40:29 2014 +0200
+++ b/hooks/security.py Tue Jan 28 15:27:59 2014 +0100
@@ -1,4 +1,4 @@
-# copyright 2003-2013 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
+# copyright 2003-2014 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
#
# This file is part of CubicWeb.
@@ -34,11 +34,15 @@
def check_entity_attributes(session, entity, action, editedattrs=None):
eid = entity.eid
eschema = entity.e_schema
+ if action == 'delete':
+ eschema.check_perm(session, action, eid=eid)
+ return
# ._cw_skip_security_attributes is there to bypass security for attributes
# set by hooks by modifying the entity's dictionary
if editedattrs is None:
editedattrs = entity.cw_edited
dontcheck = editedattrs.skip_security
+ etypechecked = False
for attr in editedattrs:
if attr in dontcheck:
continue
@@ -54,10 +58,10 @@
# implements comparison by rql expression.
if perms == buildobjs.DEFAULT_ATTRPERMS[action]:
# The default rule is to delegate to the entity
- # rule. This is an historical artefact. Hence we take
- # this object as a marker saying "no specific"
- # permission rule for this attribute. Thus we just do
- # nothing.
+ # rule. This needs to be checked only once.
+ if not etypechecked:
+ entity.cw_check_perm(action)
+ etypechecked = True
continue
if perms == ():
# That means an immutable attribute; as an optimization, avoid
@@ -71,7 +75,6 @@
session = self.session
for eid, action, edited in self.get_data():
entity = session.entity_from_eid(eid)
- entity.cw_check_perm(action)
check_entity_attributes(session, entity, action, edited)