diff -r 1340f14c38c9 -r 80dc2135bf5f hooks/security.py --- a/hooks/security.py Fri Jun 04 13:08:28 2010 +0200 +++ b/hooks/security.py Fri Jun 04 13:09:12 2010 +0200 @@ -26,7 +26,7 @@ from cubicweb.server import BEFORE_ADD_RELATIONS, ON_COMMIT_ADD_RELATIONS, hook -def check_entity_attributes(session, entity, editedattrs=None): +def check_entity_attributes(session, entity, editedattrs=None, creation=False): eid = entity.eid eschema = entity.e_schema # .skip_security_attributes is there to bypass security for attributes @@ -43,6 +43,8 @@ rdef = eschema.rdef(attr) if rdef.final: # non final relation are checked by other hooks # add/delete should be equivalent (XXX: unify them into 'update' ?) + if creation and not rdef.permissions.get('update'): + continue rdef.check_perm(session, 'update', eid=eid) # don't update dontcheck until everything went fine: see usage in # after_update_entity, where if we got an Unauthorized at hook time, we will @@ -58,7 +60,8 @@ entity = session.entity_from_eid(values[0]) action = values[1] entity.check_perm(action) - check_entity_attributes(session, entity, values[2:]) + check_entity_attributes(session, entity, values[2:], + creation=self.creation) def commit_event(self): pass @@ -95,7 +98,7 @@ def __call__(self): hook.set_operation(self._cw, 'check_entity_perm_op', (self.entity.eid, 'add') + tuple(self.entity.edited_attributes), - _CheckEntityPermissionOp) + _CheckEntityPermissionOp, creation=True) class AfterUpdateEntitySecurityHook(SecurityHook): @@ -114,7 +117,7 @@ # overwritten hook.set_operation(self._cw, 'check_entity_perm_op', (self.entity.eid, 'update') + tuple(self.entity.edited_attributes), - _CheckEntityPermissionOp) + _CheckEntityPermissionOp, creation=False) class BeforeDelEntitySecurityHook(SecurityHook):