--- a/hooks/security.py Fri Jun 04 13:08:28 2010 +0200
+++ b/hooks/security.py Fri Jun 04 13:09:12 2010 +0200
@@ -26,7 +26,7 @@
from cubicweb.server import BEFORE_ADD_RELATIONS, ON_COMMIT_ADD_RELATIONS, hook
-def check_entity_attributes(session, entity, editedattrs=None):
+def check_entity_attributes(session, entity, editedattrs=None, creation=False):
eid = entity.eid
eschema = entity.e_schema
# .skip_security_attributes is there to bypass security for attributes
@@ -43,6 +43,8 @@
rdef = eschema.rdef(attr)
if rdef.final: # non final relation are checked by other hooks
# add/delete should be equivalent (XXX: unify them into 'update' ?)
+ if creation and not rdef.permissions.get('update'):
+ continue
rdef.check_perm(session, 'update', eid=eid)
# don't update dontcheck until everything went fine: see usage in
# after_update_entity, where if we got an Unauthorized at hook time, we will
@@ -58,7 +60,8 @@
entity = session.entity_from_eid(values[0])
action = values[1]
entity.check_perm(action)
- check_entity_attributes(session, entity, values[2:])
+ check_entity_attributes(session, entity, values[2:],
+ creation=self.creation)
def commit_event(self):
pass
@@ -95,7 +98,7 @@
def __call__(self):
hook.set_operation(self._cw, 'check_entity_perm_op',
(self.entity.eid, 'add') + tuple(self.entity.edited_attributes),
- _CheckEntityPermissionOp)
+ _CheckEntityPermissionOp, creation=True)
class AfterUpdateEntitySecurityHook(SecurityHook):
@@ -114,7 +117,7 @@
# overwritten
hook.set_operation(self._cw, 'check_entity_perm_op',
(self.entity.eid, 'update') + tuple(self.entity.edited_attributes),
- _CheckEntityPermissionOp)
+ _CheckEntityPermissionOp, creation=False)
class BeforeDelEntitySecurityHook(SecurityHook):