# HG changeset patch
# User Sylvain Thénault <sylvain.thenault@logilab.fr>
# Date 1326302961 -3600
# Node ID 2ee254e74382a7b1e82acdc761d5750df79e370b
# Parent  f47252e243543e65c00d4548cdb58a544db06bda
[schema] restrictive email address read permission. Closes #2148141

You may have to update your application schema if you were based on previous settings!

diff -r f47252e24354 -r 2ee254e74382 doc/3.15.rst
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc/3.15.rst	Wed Jan 11 18:29:21 2012 +0100
@@ -0,0 +1,33 @@
+Whats new in CubicWeb 3.15
+==========================
+
+
+API changes
+-----------
+
+
+
+Unintrusive API changes
+-----------------------
+
+
+
+RQL
+---
+
+
+
+User interface changes
+----------------------
+
+
+
+Configuration
+-------------
+
+Base schema changes
+-------------------
+Email address 'read' permission is now more restrictive: only managers and
+users to which an address belong may see them. Application that wish other
+settings should set them explicitly.
+
diff -r f47252e24354 -r 2ee254e74382 misc/migration/3.15.0_Any.py
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/misc/migration/3.15.0_Any.py	Wed Jan 11 18:29:21 2012 +0100
@@ -0,0 +1,1 @@
+sync_schema_props_perms('EmailAddress')
diff -r f47252e24354 -r 2ee254e74382 schemas/base.py
--- a/schemas/base.py	Tue Jan 10 16:33:27 2012 +0100
+++ b/schemas/base.py	Wed Jan 11 18:29:21 2012 +0100
@@ -51,7 +51,9 @@
 class EmailAddress(EntityType):
     """an electronic mail address associated to a short alias"""
     __permissions__ = {
-        'read':   ('managers', 'users', 'guests',), # XXX if P use_email X, U has_read_permission P
+        # application that wishes public email, or use it for something else
+        # than users (eg Company, Person), should explicitly change permissions
+        'read':   ('managers', ERQLExpression('U use_email X')),
         'add':    ('managers', 'users',),
         'delete': ('managers', 'owners', ERQLExpression('P use_email X, U has_update_permission P')),
         'update': ('managers', 'owners', ERQLExpression('P use_email X, U has_update_permission P')),