diff -r bf3453789887 -r 70d47389630c schema.py --- a/schema.py Thu Feb 11 12:19:08 2010 +0100 +++ b/schema.py Mon Feb 15 18:44:47 2010 +0100 @@ -283,22 +283,10 @@ isinstance(group_or_rqlexpr, RQLExpression): msg = "can't use rql expression for read permission of %s" raise BadSchemaDefinition(msg % self) - elif self.final and isinstance(group_or_rqlexpr, RRQLExpression): - if schema.reading_from_database: - # we didn't have final relation earlier, so turn - # RRQLExpression into ERQLExpression now - rqlexpr = group_or_rqlexpr - newrqlexprs = [x for x in self.get_rqlexprs(action) - if not x is rqlexpr] - newrqlexprs.append(ERQLExpression(rqlexpr.expression, - rqlexpr.mainvars, - rqlexpr.eid)) - self.set_rqlexprs(action, newrqlexprs) - else: - msg = "can't use RRQLExpression on %s, use an ERQLExpression" - raise BadSchemaDefinition(msg % self) - elif not self.final and \ - isinstance(group_or_rqlexpr, ERQLExpression): + if self.final and isinstance(group_or_rqlexpr, RRQLExpression): + msg = "can't use RRQLExpression on %s, use an ERQLExpression" + raise BadSchemaDefinition(msg % self) + if not self.final and isinstance(group_or_rqlexpr, ERQLExpression): msg = "can't use ERQLExpression on %s, use a RRQLExpression" raise BadSchemaDefinition(msg % self) RelationDefinitionSchema.check_permission_definitions = check_permission_definitions @@ -314,13 +302,14 @@ if eid is None and edef is not None: eid = getattr(edef, 'eid', None) self.eid = eid - # take care: no _groups attribute when deep-copying - if getattr(self, 'permissions', None): - for groups in self.permissions.itervalues(): - for group_or_rqlexpr in groups: - if isinstance(group_or_rqlexpr, RRQLExpression): - msg = "can't use RRQLExpression on an entity type, use an ERQLExpression (%s)" - raise BadSchemaDefinition(msg % self.type) + + def check_permission_definitions(self): + super(CubicWebEntitySchema, self).check_permission_definitions() + for groups in self.permissions.itervalues(): + for group_or_rqlexpr in groups: + if isinstance(group_or_rqlexpr, RRQLExpression): + msg = "can't use RRQLExpression on %s, use an ERQLExpression" + raise BadSchemaDefinition(msg % self.type) def attribute_definitions(self): """return an iterator on attribute definitions @@ -426,14 +415,24 @@ def has_perm(self, session, action, **kwargs): """return true if the action is granted globaly or localy""" - if 'fromeid' in kwargs: - subjtype = session.describe(kwargs['fromeid'])[0] + if self.final: + assert not ('fromeid' in kwargs or 'toeid' in kwargs), kwargs + assert action in ('read', 'update') + if 'eid' in kwargs: + subjtype = session.describe(kwargs['eid'])[0] + else: + subjtype = objtype = None else: - subjtype = None - if 'toeid' in kwargs: - objtype = session.describe(kwargs['toeid'])[0] - else: - objtype = None + assert not 'eid' in kwargs, kwargs + assert action in ('read', 'add', 'delete') + if 'fromeid' in kwargs: + subjtype = session.describe(kwargs['fromeid'])[0] + else: + subjtype = None + if 'toeid' in kwargs: + objtype = session.describe(kwargs['toeid'])[0] + else: + objtype = None if objtype and subjtype: return self.rdef(subjtype, objtype).has_perm(session, action, **kwargs) elif subjtype: @@ -919,6 +918,11 @@ kwargs['o'] = toeid return self._check(session, **kwargs) +# in yams, default 'update' perm for attributes granted to managers and owners. +# Within cw, we want to default to users who may edit the entity holding the +# attribute. +ybo.DEFAULT_ATTRPERMS['update'] = ( + 'managers', ERQLExpression('U has_update_permission X')) # workflow extensions #########################################################