# HG changeset patch # User Aurelien Campeas # Date 1380899149 -7200 # Node ID e1369f2dba79b3e74762f34219e5c51e1b51a502 # Parent 77e31ede9b048137999a3d5e1be5736801439fb3 [hooks/security] Defer entity permission checks to an Operation. Some of these checks may currently happen twice within the same transaction and be costly. This should be semantically safe. If people rely on some internal transaction ordering to be allowed early (thus pass) while the condition wouldn't be met at precommit time, their application is broken. It however seems unlikely to happen in the real life (tm). Closes #2932033 diff -r 77e31ede9b04 -r e1369f2dba79 doc/3.18.rst --- a/doc/3.18.rst Fri Oct 04 15:59:54 2013 +0200 +++ b/doc/3.18.rst Fri Oct 04 17:05:49 2013 +0200 @@ -11,6 +11,9 @@ API changes ----------- +* not really an API change, but the entity permission checks are now + systematically deferred to an operation, instead of a) trying in a + hook and b) if it failed, retrying later in an operation Deprecation diff -r 77e31ede9b04 -r e1369f2dba79 hooks/security.py --- a/hooks/security.py Fri Oct 04 15:59:54 2013 +0200 +++ b/hooks/security.py Fri Oct 04 17:05:49 2013 +0200 @@ -111,17 +111,11 @@ events = ('after_update_entity',) def __call__(self): - try: - # check user has permission right now, if not retry at commit time - self.entity.cw_check_perm('update') - check_entity_attributes(self._cw, self.entity) - except Unauthorized: - self.entity._cw_clear_local_perm_cache('update') - # save back editedattrs in case the entity is reedited later in the - # same transaction, which will lead to cw_edited being - # overwritten - CheckEntityPermissionOp.get_instance(self._cw).add_data( - (self.entity.eid, 'update', self.entity.cw_edited) ) + # save back editedattrs in case the entity is reedited later in the + # same transaction, which will lead to cw_edited being + # overwritten + CheckEntityPermissionOp.get_instance(self._cw).add_data( + (self.entity.eid, 'update', self.entity.cw_edited) ) class BeforeDelEntitySecurityHook(SecurityHook):