Mercurial Mercurial > pub > hg > cubicweb / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
schemas/__init__.py
author Sylvain Thénault <sylvain.thenault@logilab.fr>
Wed, 27 Jan 2010 09:56:16 +0100
changeset 4388 15c6607c4bda
parent 4243 2621de25d15a
child 4754 6bf17f810975
permissions -rw-r--r--
[forms] propagate aguments given to .vocabulary to .choices if it's a callable. So we can properly uses vocabulary(limit=xxx) in places where we used to call .choices(limit), since field.choices is not meant to be accessed directly. Also, document expected behaviour for custom choices method for relation fields.

"""some utilities to define schema permissions

:organization: Logilab
:copyright: 2008 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
:contact: http://www.logilab.fr/ -- mailto:contact@logilab.fr
"""
__docformat__ = "restructuredtext en"

from rql.utils import quote
from cubicweb.schema import ERQLExpression, RRQLExpression

# permissions for "meta" entity type (readable by anyone, can only be
# added/deleted by managers)
META_ETYPE_PERMS = {
    'read':   ('managers', 'users', 'guests',),
    'add':    ('managers',),
    'delete': ('managers',),
    'update': ('managers', 'owners',),
    }

# permissions for "meta" relation type (readable by anyone, can only be
# added/deleted by managers)
META_RTYPE_PERMS = {
    'read':   ('managers', 'users', 'guests',),
    'add':    ('managers',),
    'delete': ('managers',),
    }

# permissions for relation type that should only set by hooks using unsafe
# execute, readable by anyone
HOOKS_RTYPE_PERMS = {
    'read':   ('managers', 'users', 'guests',),
    'add':    (),
    'delete': (),
    }

def _perm(names):
    if isinstance(names, (list, tuple)):
        if len(names) == 1:
            names = quote(names[0])
        else:
            names = 'IN (%s)' % (','.join(quote(name) for name in names))
    else:
        names = quote(names)
    #return u' require_permission P, P name %s, U in_group G, P require_group G' % names
    return u' require_permission P, P name %s, U has_group_permission P' % names


def xperm(*names):
    return 'X' + _perm(names)

def xexpr(*names):
    return ERQLExpression(xperm(*names))

def xrexpr(relation, *names):
    return ERQLExpression('X %s Y, Y %s' % (relation, _perm(names)))

def xorexpr(relation, etype, *names):
    return ERQLExpression('Y %s X, X is %s, Y %s' % (relation, etype, _perm(names)))


def sexpr(*names):
    return RRQLExpression('S' + _perm(names), 'S')

def restricted_sexpr(restriction, *names):
    rql = '%s, %s' % (restriction, 'S' + _perm(names))
    return RRQLExpression(rql, 'S')

def restricted_oexpr(restriction, *names):
    rql = '%s, %s' % (restriction, 'O' + _perm(names))
    return RRQLExpression(rql, 'O')

def oexpr(*names):
    return RRQLExpression('O' + _perm(names), 'O')


# def supdate_perm():
#     return RRQLExpression('U has_update_permission S', 'S')

# def oupdate_perm():
#     return RRQLExpression('U has_update_permission O', 'O')

def relxperm(rel, role, *names):
    assert role in ('subject', 'object')
    if role == 'subject':
        zxrel = ', X %s Z' % rel
    else:
        zxrel = ', Z %s X' % rel
    return 'Z' + _perm(names) + zxrel

def relxexpr(rel, role, *names):
    return ERQLExpression(relxperm(rel, role, *names))
cubicweb