don't update dontcheck until everything went fine:
see usage in after_update_entity, where if we got an Unauthorized at
hook time, we will retry and commit time.
--- a/hooks/security.py Wed Mar 24 15:21:21 2010 +0100
+++ b/hooks/security.py Wed Mar 24 15:22:01 2010 +0100
@@ -25,15 +25,16 @@
except AttributeError:
editedattrs = entity # XXX unexpected
for attr in editedattrs:
- try:
- dontcheck.remove(attr)
+ if attr in dontcheck:
continue
- except KeyError:
- pass
rdef = eschema.rdef(attr)
if rdef.final: # non final relation are checked by other hooks
# add/delete should be equivalent (XXX: unify them into 'update' ?)
rdef.check_perm(session, 'update', eid=eid)
+ # don't update dontcheck until everything went fine: see usage in
+ # after_update_entity, where if we got an Unauthorized at hook time, we will
+ # retry and commit time
+ dontcheck |= frozenset(editedattrs)
class _CheckEntityPermissionOp(hook.LateOperation):