diff -r 8968c50818db -r 43c14e0e8972 server/securityhooks.py --- a/server/securityhooks.py Fri Feb 12 12:57:14 2010 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,106 +0,0 @@ -"""Security hooks: check permissions to add/delete/update entities according to -the user connected to a session - -:organization: Logilab -:copyright: 2001-2010 LOGILAB S.A. (Paris, FRANCE), license is LGPL v2. -:contact: http://www.logilab.fr/ -- mailto:contact@logilab.fr -:license: GNU Lesser General Public License, v2.1 - http://www.gnu.org/licenses -""" -__docformat__ = "restructuredtext en" - -from cubicweb import Unauthorized -from cubicweb.server.pool import LateOperation -from cubicweb.server import BEFORE_ADD_RELATIONS, ON_COMMIT_ADD_RELATIONS - -def check_entity_attributes(session, entity): - eid = entity.eid - eschema = entity.e_schema - # ._default_set is only there on entity creation to indicate unspecified - # attributes which has been set to a default value defined in the schema - defaults = getattr(entity, '_default_set', ()) - try: - editedattrs = entity.edited_attributes - except AttributeError: - editedattrs = entity.keys() - for attr in editedattrs: - if attr in defaults: - continue - rschema = eschema.subjrels[attr] - if rschema.final: # non final relation are checked by other hooks - # add/delete should be equivalent (XXX: unify them into 'update' ?) - rschema.check_perm(session, 'add', eid) - - -class CheckEntityPermissionOp(LateOperation): - def precommit_event(self): - #print 'CheckEntityPermissionOp', self.session.user, self.entity, self.action - self.entity.check_perm(self.action) - check_entity_attributes(self.session, self.entity) - - def commit_event(self): - pass - - -class CheckRelationPermissionOp(LateOperation): - def precommit_event(self): - self.rschema.check_perm(self.session, self.action, self.fromeid, self.toeid) - - def commit_event(self): - pass - -def after_add_entity(session, entity): - if not session.is_super_session: - CheckEntityPermissionOp(session, entity=entity, action='add') - -def after_update_entity(session, entity): - if not session.is_super_session: - try: - # check user has permission right now, if not retry at commit time - entity.check_perm('update') - check_entity_attributes(session, entity) - except Unauthorized: - entity.clear_local_perm_cache('update') - CheckEntityPermissionOp(session, entity=entity, action='update') - -def before_del_entity(session, eid): - if not session.is_super_session: - eschema = session.repo.schema[session.describe(eid)[0]] - eschema.check_perm(session, 'delete', eid) - - -def before_add_relation(session, fromeid, rtype, toeid): - if rtype in BEFORE_ADD_RELATIONS and not session.is_super_session: - nocheck = session.transaction_data.get('skip-security', ()) - if (fromeid, rtype, toeid) in nocheck: - return - rschema = session.repo.schema[rtype] - rschema.check_perm(session, 'add', fromeid, toeid) - -def after_add_relation(session, fromeid, rtype, toeid): - if not rtype in BEFORE_ADD_RELATIONS and not session.is_super_session: - nocheck = session.transaction_data.get('skip-security', ()) - if (fromeid, rtype, toeid) in nocheck: - return - rschema = session.repo.schema[rtype] - if rtype in ON_COMMIT_ADD_RELATIONS: - CheckRelationPermissionOp(session, action='add', rschema=rschema, - fromeid=fromeid, toeid=toeid) - else: - rschema.check_perm(session, 'add', fromeid, toeid) - -def before_del_relation(session, fromeid, rtype, toeid): - if not session.is_super_session: - nocheck = session.transaction_data.get('skip-security', ()) - if (fromeid, rtype, toeid) in nocheck: - return - session.repo.schema[rtype].check_perm(session, 'delete', fromeid, toeid) - -def register_security_hooks(hm): - """register meta-data related hooks on the hooks manager""" - hm.register_hook(after_add_entity, 'after_add_entity', '') - hm.register_hook(after_update_entity, 'after_update_entity', '') - hm.register_hook(before_del_entity, 'before_delete_entity', '') - hm.register_hook(before_add_relation, 'before_add_relation', '') - hm.register_hook(after_add_relation, 'after_add_relation', '') - hm.register_hook(before_del_relation, 'before_delete_relation', '') -