# HG changeset patch # User Sylvain Thénault # Date 1295026306 -3600 # Node ID 7a19a4f65573b8c6c85b53c5858c0dcd5e5643d3 # Parent 43d70b3fdcb5d701b34a5a919a9d3b5c8564c2bb [doc] fix security bug in photo web site tutorial diff -r 43d70b3fdcb5 -r 7a19a4f65573 doc/book/en/tutorials/advanced/index.rst --- a/doc/book/en/tutorials/advanced/index.rst Fri Jan 14 18:30:42 2011 +0100 +++ b/doc/book/en/tutorials/advanced/index.rst Fri Jan 14 18:31:46 2011 +0100 @@ -226,6 +226,12 @@ cardinality = '11' # required class may_be_read_by(RelationDefinition): + __permissions__ = { + 'read': ('managers', 'users'), + 'add': ('managers',), + 'delete': ('managers',), + } + subject = ('Folder', 'File', 'Image', 'Comment',) object = 'CWUser' @@ -241,6 +247,9 @@ * the `parent` possible value will be used for visibility propagation +* think to secure the `may_be_read_by` permissions, else any user can add/delte it + by default, which somewhat breaks our security model... + Now, we should be able to define security rules in the schema, based on these new attribute and relation. Here is the code to add to *schema.py*: