Mercurial Mercurial > pub > hg > cubicweb / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | zip | gz | bz2 | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
[doc] fix security bug in photo web site tutorial stable
authorSylvain Thénault <sylvain.thenault@logilab.fr>
Fri, 14 Jan 2011 18:31:46 +0100
branchstable
changeset 6830 7a19a4f65573
parent 6829 43d70b3fdcb5
child 6831 0801dae5bba2
[doc] fix security bug in photo web site tutorial
doc/book/en/tutorials/advanced/index.rst file | annotate | diff | comparison | revisions 
--- a/doc/book/en/tutorials/advanced/index.rst	Fri Jan 14 18:30:42 2011 +0100
+++ b/doc/book/en/tutorials/advanced/index.rst	Fri Jan 14 18:31:46 2011 +0100
@@ -226,6 +226,12 @@
 	cardinality = '11' # required
 
     class may_be_read_by(RelationDefinition):
+        __permissions__ = {
+	    'read':   ('managers', 'users'),
+	    'add':    ('managers',),
+	    'delete': ('managers',),
+	    }
+
 	subject = ('Folder', 'File', 'Image', 'Comment',)
 	object = 'CWUser'
 
@@ -241,6 +247,9 @@
 
 * the `parent` possible value will be used for visibility propagation
 
+* think to secure the `may_be_read_by` permissions, else any user can add/delte it
+  by default, which somewhat breaks our security model...
+
 Now, we should be able to define security rules in the schema, based on these new
 attribute and relation. Here is the code to add to *schema.py*:
cubicweb