[session/transaction] move read_security subtlety in transaction
authorPierre-Yves David <pierre-yves.david@logilab.fr>
Wed, 27 Mar 2013 19:40:09 +0100
changeset 8806 8ca4b323223c
parent 8805 d91285fe7242
child 8807 d9aaad2c52e9
[session/transaction] move read_security subtlety in transaction This is transaction data, itshould be handled by the transaction itself.
server/session.py
--- a/server/session.py	Mon Mar 25 16:08:02 2013 +0100
+++ b/server/session.py	Wed Mar 27 19:40:09 2013 +0100
@@ -227,7 +227,7 @@
 
 
         ### security control attributes
-        self.read_security = DEFAULT_SECURITY
+        self._read_security = DEFAULT_SECURITY # handled by a property
         self.write_security = DEFAULT_SECURITY
 
         # RQLRewriter are not thread safe
@@ -358,6 +358,35 @@
         """
         return self.is_hook_category_activated(hook.category)
 
+    # Security management #####################################################
+    @property
+    def read_security(self):
+        return self._read_security
+
+    @read_security.setter
+    def read_security(self, activated):
+        oldmode = self._read_security
+        self._read_security = activated
+        # running_dbapi_query used to detect hooks triggered by a 'dbapi' query
+        # (eg not issued on the session). This is tricky since we the execution
+        # model of a (write) user query is:
+        #
+        # repository.execute (security enabled)
+        #  \-> querier.execute
+        #       \-> repo.glob_xxx (add/update/delete entity/relation)
+        #            \-> deactivate security before calling hooks
+        #                 \-> WE WANT TO CHECK QUERY NATURE HERE
+        #                      \-> potentially, other calls to querier.execute
+        #
+        # so we can't rely on simply checking session.read_security, but
+        # recalling the first transition from DEFAULT_SECURITY to something
+        # else (False actually) is not perfect but should be enough
+        #
+        # also reset running_dbapi_query to true when we go back to
+        # DEFAULT_SECURITY
+        self.running_dbapi_query = (oldmode is DEFAULT_SECURITY
+                                    or activated is DEFAULT_SECURITY)
+
 
 def tx_attr(attr_name, writable=False):
     """return a property to forward attribute access to transaction.
@@ -779,8 +808,6 @@
             if write is not None:
                 self.set_write_security(write)
 
-    read_security = tx_attr('read_security')
-
     def set_read_security(self, activated):
         """[de]activate read security, returning the previous value set for
         later restoration.
@@ -788,32 +815,10 @@
         you should usually use the `security_enabled` context manager instead
         of this to change security settings.
         """
-        tx = self._tx
-        oldmode = tx.read_security
-        tx.read_security = activated
-        # running_dbapi_query used to detect hooks triggered by a 'dbapi' query
-        # (eg not issued on the session). This is tricky since we the execution
-        # model of a (write) user query is:
-        #
-        # repository.execute (security enabled)
-        #  \-> querier.execute
-        #       \-> repo.glob_xxx (add/update/delete entity/relation)
-        #            \-> deactivate security before calling hooks
-        #                 \-> WE WANT TO CHECK QUERY NATURE HERE
-        #                      \-> potentially, other calls to querier.execute
-        #
-        # so we can't rely on simply checking session.read_security, but
-        # recalling the first transition from DEFAULT_SECURITY to something
-        # else (False actually) is not perfect but should be enough
-        #
-        # also reset running_dbapi_query to true when we go back to
-        # DEFAULT_SECURITY
-        tx.running_dbapi_query = (oldmode is DEFAULT_SECURITY
-                               or activated is DEFAULT_SECURITY)
+        oldmode = self._tx.read_security
+        self._tx.read_security = activated
         return oldmode
 
-    write_security = tx_attr('write_security')
-
     def set_write_security(self, activated):
         """[de]activate write security, returning the previous value set for
         later restoration.
@@ -821,11 +826,12 @@
         you should usually use the `security_enabled` context manager instead
         of this to change security settings.
         """
-        tx = self._tx
-        oldmode = tx.write_security
-        tx.write_security = activated
+        oldmode = self._tx.write_security
+        self._tx.write_security = activated
         return oldmode
 
+    read_security = tx_attr('read_security')
+    write_security = tx_attr('write_security')
     running_dbapi_query = tx_attr('running_dbapi_query')
 
     # hooks activation control #################################################