# HG changeset patch # User Sylvain Thénault # Date 1265351116 -3600 # Node ID f628abfb3a6cba95a939df83d7e87520d8957615 # Parent 6151849f41e0cd6c60349f57d5ee3bdd06cdca22# Parent 297a63704761753b1a4e80787ef886d5904dbacb backport stable diff -r 6151849f41e0 -r f628abfb3a6c appobject.py diff -r 6151849f41e0 -r f628abfb3a6c devtools/fake.py --- a/devtools/fake.py Thu Feb 04 13:17:26 2010 +0100 +++ b/devtools/fake.py Fri Feb 05 07:25:16 2010 +0100 @@ -78,7 +78,7 @@ """ pass - def set_header(self, header, value): + def set_header(self, header, value, raw=True): """set an output HTTP header""" self._headers[header] = value diff -r 6151849f41e0 -r f628abfb3a6c doc/book/en/development/datamodel/definition.rst --- a/doc/book/en/development/datamodel/definition.rst Thu Feb 04 13:17:26 2010 +0100 +++ b/doc/book/en/development/datamodel/definition.rst Fri Feb 05 07:25:16 2010 +0100 @@ -1,4 +1,4 @@ -.. -*- coding: utf-8 -*- + .. -*- coding: utf-8 -*- Yams *schema* ------------- @@ -226,17 +226,17 @@ * we associate rights at the enttities/relations schema level * for each entity, we distinguish four kind of permissions: read, add, update and delete -* for each relation, we distinguish three king of permissions: read, +* for each relation, we distinguish three kinds of permissions: read, add and delete (we can not modify a relation) * the basic groups are: Administrators, Users and Guests -* by default, users belongs to the group Users -* there is a virtual group called `Owners users` to which we +* by default, users belong to the group Users +* there is a virtual group called `Owners` to which we can associate only deletion and update permissions -* we can not add users to the `Owners users` group, they are - implicetely added to it according to the context of the objects +* we can not add users to the `Owners` group, they are + implicitly added to it according to the context of the objects they own -* the permissions of this group are only be checked on update/deletion - actions if all the other groups the user belongs does not provide +* the permissions of this group are only checked on update/deletion + actions if all the other groups the user belongs to does not provide those permissions Setting permissions is done with the attribute `__permissions__` of entities and @@ -250,8 +250,8 @@ For each access type, a tuple indicates the name of the authorized groups and/or one or multiple RQL expressions to satisfy to grant access. The access is -provided once the user is in the listed groups or one of the RQL condition is -satisfied. +provided if the user is in one of the listed groups or one of if the RQL condition +is satisfied. The standard user groups ```````````````````````` @@ -271,7 +271,7 @@ Use of RQL expression for write permissions -``````````````````````````````````````````` + ``````````````````````````````````````````` It is possible to define RQL expression to provide update permission (`add`, `delete` and `update`) on relation and entity types. @@ -287,7 +287,7 @@ * it is possible to use, in this expression, a special relation "has__permission" where the subject is the user and the - object is a any variable, meaning that the user needs to have + object is any variable, meaning that the user needs to have permission to execute the action on the entities related to this variable @@ -311,13 +311,14 @@ :Note on the use of RQL expression for `add` permission: - Potentially, the use of an RQL expression to add an entity or a relation - can cause problems for the user interface, because if the expression uses - the entity or the relation to create, then we are not able to verify the - permissions before we actually add the entity (please note that this is - not a problem for the RQL server at all, because the permissions checks are - done after the creation). In such case, the permission check methods - (check_perm, has_perm) can indicate that the user is not allowed to create + Potentially, the use of an RQL expression to add an entity or a + relation can cause problems for the user interface, because if the + expression uses the entity or the relation to create, then we are + not able to verify the permissions before we actually add the entity + (please note that this is not a problem for the RQL server at all, + because the permissions checks are done after the creation). In such + case, the permission check methods (CubicWebEntitySchema.check_perm + and has_perm) can indicate that the user is not allowed to create this entity but can obtain the permission. To compensate this problem, it is usually necessary, for such case, to use an action that reflects the schema permissions but which enables @@ -445,57 +446,54 @@ Definition of permissions ~~~~~~~~~~~~~~~~~~~~~~~~~~ - -In addition to that the entity type `CWPermission` from the standard library -allow to build very complex and dynamic security architecture. The schema of -this entity type is as follow: +The entity type `CWPermission` from the standard library +allows to build very complex and dynamic security architectures. The schema of +this entity type is as follow : .. sourcecode:: python class CWPermission(EntityType): - """entity type that may be used to construct some advanced security configuration - """ - name = String(required=True, indexed=True, internationalizable=True, maxsize=100) + """entity type that may be used to construct some advanced security configuration + """ + name = String(required=True, indexed=True, internationalizable=True, maxsize=100) require_group = SubjectRelation('CWGroup', cardinality='+*', - description=_('groups to which the permission is granted')) + description=_('groups to which the permission is granted')) require_state = SubjectRelation('State', description=_("entity's state in which the permission is applicable")) - # can be used on any entity + # can be used on any entity require_permission = ObjectRelation('**', cardinality='*1', composite='subject', - description=_("link a permission to the entity. This " - "permission should be used in the security " - "definition of the entity's type to be useful.")) + description=_("link a permission to the entity. This " + "permission should be used in the security " + "definition of the entity's type to be useful.")) Example of configuration: .. sourcecode:: python - - ... - class Version(EntityType): - """a version is defining the content of a particular project's release""" + """a version is defining the content of a particular project's release""" - __permissions__ = {'read': ('managers', 'users', 'guests',), - 'update': ('managers', 'logilab', 'owners',), - 'delete': ('managers', ), - 'add': ('managers', 'logilab', - ERQLExpression('X version_of PROJ, U in_group G,' - 'PROJ require_permission P, P name "add_version",' - 'P require_group G'),)} + __permissions__ = {'read': ('managers', 'users', 'guests',), + 'update': ('managers', 'logilab', 'owners',), + 'delete': ('managers', ), + 'add': ('managers', 'logilab', + ERQLExpression('X version_of PROJ, U in_group G,' + 'PROJ require_permission P, P name "add_version",' + 'P require_group G'),)} class version_of(RelationType): - """link a version to its project. A version is necessarily linked to one and only one project. - """ - __permissions__ = {'read': ('managers', 'users', 'guests',), - 'delete': ('managers', ), - 'add': ('managers', 'logilab', - RRQLExpression('O require_permission P, P name "add_version",' - 'U in_group G, P require_group G'),) - } - inlined = True + """link a version to its project. A version is necessarily linked to one and only one project. + """ + __permissions__ = {'read': ('managers', 'users', 'guests',), + 'delete': ('managers', ), + 'add': ('managers', 'logilab', + RRQLExpression('O require_permission P, P name "add_version",' + 'U in_group G, P require_group G'),) + } + inlined = True + This configuration indicates that an entity `CWPermission` named "add_version" can be associated to a project and provides rights to create diff -r 6151849f41e0 -r f628abfb3a6c req.py --- a/req.py Thu Feb 04 13:17:26 2010 +0100 +++ b/req.py Fri Feb 05 07:25:16 2010 +0100 @@ -341,7 +341,7 @@ """return a string for floating point number according to instance's configuration """ - if num: + if num is not None: return self.property_value('ui.float-format') % num return u'' diff -r 6151849f41e0 -r f628abfb3a6c view.py --- a/view.py Thu Feb 04 13:17:26 2010 +0100 +++ b/view.py Fri Feb 05 07:25:16 2010 +0100 @@ -112,7 +112,7 @@ def paginable(self): if not isinstance(self.__class__.need_navigation, property): warn('[3.6] %s.need_navigation is deprecated, use .paginable' - % self.__class__, DeprecationWarninig) + % self.__class__, DeprecationWarning) return self.need_navigation return True diff -r 6151849f41e0 -r f628abfb3a6c web/request.py --- a/web/request.py Thu Feb 04 13:17:26 2010 +0100 +++ b/web/request.py Fri Feb 05 07:25:16 2010 +0100 @@ -752,7 +752,7 @@ def document_surrounding_div(self): if self.xhtml_browser(): - return (u'\n' + STRICT_DOCTYPE + + return (u'\n' + STRICT_DOCTYPE + # XXX encoding ? u'
') return u'
' diff -r 6151849f41e0 -r f628abfb3a6c web/views/plots.py --- a/web/views/plots.py Thu Feb 04 13:17:26 2010 +0100 +++ b/web/views/plots.py Fri Feb 05 07:25:16 2010 +0100 @@ -119,7 +119,7 @@ 'figid': figid, 'plotdata': ','.join(plotdata), 'mode': self.timemode and "'time'" or 'null'}, - jsoncall=req.form.get('jsoncall', False)) + jsoncall=req.json_request) class PlotView(baseviews.AnyRsetView): diff -r 6151849f41e0 -r f628abfb3a6c web/views/treeview.py --- a/web/views/treeview.py Thu Feb 04 13:17:26 2010 +0100 +++ b/web/views/treeview.py Fri Feb 05 07:25:16 2010 +0100 @@ -113,10 +113,8 @@ assert treeid is not None entity = self.cw_rset.get_entity(row, col) itemview = self._cw.view(vid, self.cw_rset, row=row, col=col) - if row == len(self.cw_rset) - 1: - self.w(u'
  • %s
    • ' % itemview) - else: - self.w(u'
  • %s
    • ' % itemview) + last_class = morekwargs['is_last'] and ' class="last"' or '' + self.w(u'%s' % (last_class, itemview)) class TreeViewItemView(EntityView):