diff -r b217635d3b28 -r c000e41316ec doc/book/en/devrepo/datamodel/definition.rst --- a/doc/book/en/devrepo/datamodel/definition.rst Wed Aug 18 13:58:12 2010 +0200 +++ b/doc/book/en/devrepo/datamodel/definition.rst Wed Aug 18 16:53:05 2010 +0200 @@ -412,6 +412,46 @@ * special relations "has__permission" can not be used +Important notes about write permissions checking +```````````````````````````````````````````````` + +Write permissions (e.g. 'add', 'update', 'delete') are checked in core hooks. + +When a permission is checked slightly vary according to if it's an entity or +relation, and if the relation is an attribute relation or not). It's important to +understand that since according to when a permission is checked, values returned +by rql expressions may changes, hence the permission being granted or not. + +Here are the current rules: + +1. permission to add/update entity and its attributes are checked: + + - on commit if the entity has been added + + - in an 'after_update_entity' hook if the entity has been updated. If it fails + at this time, it will be retried on commit (hence you get the permission if + you have it just after the modification or *at* commit time) + +2. permission to delete an entity is checked in 'before_delete_entity' hook + +3. permission to add a relation is checked either: + + - in 'before_add_relation' hook if the relation type is in the + `BEFORE_ADD_RELATIONS` set + + - else at commit time if the relation type is in the `ON_COMMIT_ADD_RELATIONS` + set + + - else in 'after_add_relation' hook (the default) + +4. permission to delete a relation is checked in 'before_delete_relation' hook + +Last but not least, remember queries issued from hooks and operation are by +default 'unsafe', eg there are no read or write security checks. + +See :mod:`cubicweb.hooks.security` for more details. + + .. _yams_example: Defining your schema using yams