[hooks/security] Streamline attributes default permission check.
The current default permission on attributes delegates the check to
the entity permission update policy.
Since this is already checked it can be skipped.
The equality comparison will work, even with a deserialized schema,
because the default update perm is::
('managers', ERQLExpression(Any X WHERE U has_update_permission X, X eid %(x)s, U eid %(u)s))
which will always be deserialized in this order (groups first).
However this is a slight semantic change: entity type level 'update'
permissions can now be effectively used to encode update-time rules if
the default attribute permissions are used (before this change, the
'update' rules at entity type level were fired at creation time).
Closes #2930861.
import sys
if confirm('fix some corrupted entities noticed on several instances?'):
rql('DELETE CWConstraint X WHERE NOT E constrained_by X')
rql('SET X is_instance_of Y WHERE X is Y, NOT X is_instance_of Y')
commit()
if confirm('fix existing cwuri?'):
from logilab.common.shellutils import progress
from cubicweb.server.session import hooks_control
rset = rql('Any X, XC WHERE X cwuri XC, X cwuri ~= "%/eid/%"')
title = "%i entities to fix" % len(rset)
nbops = rset.rowcount
enabled = interactive_mode
with progress(title=title, nbops=nbops, size=30, enabled=enabled) as pb:
for i, row in enumerate(rset):
with hooks_control(session, session.HOOKS_DENY_ALL, 'integrity'):
data = {'eid': row[0], 'cwuri': row[1].replace(u'/eid', u'')}
rql('SET X cwuri %(cwuri)s WHERE X eid %(eid)s', data)
if not i % 100: # commit every 100 entities to limit memory consumption
pb.text = "%i committed" % i
commit(ask_confirm=False)
pb.update()
commit(ask_confirm=False)
try:
from cubicweb import devtools
option_group_changed('anonymous-user', 'main', 'web')
option_group_changed('anonymous-password', 'main', 'web')
except ImportError:
# cubicweb-dev unavailable, nothing needed
pass