hooks/security.py
branchstable
changeset 5670 80dc2135bf5f
parent 5449 a7e1b316af03
child 5679 0f2ded880d01
child 5813 0b250d72fcfa
--- a/hooks/security.py	Fri Jun 04 13:08:28 2010 +0200
+++ b/hooks/security.py	Fri Jun 04 13:09:12 2010 +0200
@@ -26,7 +26,7 @@
 from cubicweb.server import BEFORE_ADD_RELATIONS, ON_COMMIT_ADD_RELATIONS, hook
 
 
-def check_entity_attributes(session, entity, editedattrs=None):
+def check_entity_attributes(session, entity, editedattrs=None, creation=False):
     eid = entity.eid
     eschema = entity.e_schema
     # .skip_security_attributes is there to bypass security for attributes
@@ -43,6 +43,8 @@
         rdef = eschema.rdef(attr)
         if rdef.final: # non final relation are checked by other hooks
             # add/delete should be equivalent (XXX: unify them into 'update' ?)
+            if creation and not rdef.permissions.get('update'):
+                continue
             rdef.check_perm(session, 'update', eid=eid)
     # don't update dontcheck until everything went fine: see usage in
     # after_update_entity, where if we got an Unauthorized at hook time, we will
@@ -58,7 +60,8 @@
             entity = session.entity_from_eid(values[0])
             action = values[1]
             entity.check_perm(action)
-            check_entity_attributes(session, entity, values[2:])
+            check_entity_attributes(session, entity, values[2:],
+                                    creation=self.creation)
 
     def commit_event(self):
         pass
@@ -95,7 +98,7 @@
     def __call__(self):
         hook.set_operation(self._cw, 'check_entity_perm_op',
                            (self.entity.eid, 'add') + tuple(self.entity.edited_attributes),
-                           _CheckEntityPermissionOp)
+                           _CheckEntityPermissionOp, creation=True)
 
 
 class AfterUpdateEntitySecurityHook(SecurityHook):
@@ -114,7 +117,7 @@
             # overwritten
             hook.set_operation(self._cw, 'check_entity_perm_op',
                                (self.entity.eid, 'update') + tuple(self.entity.edited_attributes),
-                               _CheckEntityPermissionOp)
+                               _CheckEntityPermissionOp, creation=False)
 
 
 class BeforeDelEntitySecurityHook(SecurityHook):