merge stable
authorSylvain Thénault <sylvain.thenault@logilab.fr>
Thu, 04 Mar 2010 08:48:51 +0100
branchstable
changeset 4778 e0f2ca89123f
parent 4753 dd6ae6512916 (current diff)
parent 4765 c33d12865641 (diff)
child 4779 dce36da37d40
merge
--- a/devtools/__init__.py	Wed Mar 03 14:06:05 2010 +0100
+++ b/devtools/__init__.py	Thu Mar 04 08:48:51 2010 +0100
@@ -30,8 +30,8 @@
 
 SYSTEM_RELATIONS = schema.META_RTYPES | set((
     # workflow related
-    'workflow_of', 'state_of', 'transition_of', 'initial_state', 'allowed_transition',
-    'destination_state', 'from_state', 'to_state',
+    'workflow_of', 'state_of', 'transition_of', 'initial_state', 'default_workflow',
+    'allowed_transition', 'destination_state', 'from_state', 'to_state',
     'condition', 'subworkflow', 'subworkflow_state', 'subworkflow_exit',
     'custom_workflow', 'in_state', 'wf_info_for',
     # cwproperty
--- a/entity.py	Wed Mar 03 14:06:05 2010 +0100
+++ b/entity.py	Thu Mar 04 08:48:51 2010 +0100
@@ -797,7 +797,7 @@
             del self.__unique
         except AttributeError:
             pass
-    
+
     # raw edition utilities ###################################################
 
     def set_attributes(self, _cw_unsafe=False, **kwargs):
--- a/schema.py	Wed Mar 03 14:06:05 2010 +0100
+++ b/schema.py	Thu Mar 04 08:48:51 2010 +0100
@@ -50,8 +50,9 @@
     ))
 
 WORKFLOW_TYPES = set(('Transition', 'State', 'TrInfo', 'Workflow',
-                         'WorkflowTransition', 'BaseTransition',
-                         'SubWorkflowExitPoint'))
+                      'WorkflowTransition', 'BaseTransition',
+                      'SubWorkflowExitPoint'))
+
 INTERNAL_TYPES = set(('CWProperty', 'CWPermission', 'CWCache', 'ExternalUri'))
 
 
@@ -63,6 +64,31 @@
 ybo.RDEF_PROPERTIES += ('eid',)
 
 
+PUB_SYSTEM_ENTITY_PERMS = {
+    'read':   ('managers', 'users', 'guests',),
+    'add':    ('managers',),
+    'delete': ('managers',),
+    'update': ('managers',),
+    }
+PUB_SYSTEM_REL_PERMS = {
+    'read':   ('managers', 'users', 'guests',),
+    'add':    ('managers',),
+    'delete': ('managers',),
+    }
+PUB_SYSTEM_ATTR_PERMS = {
+    'read':   ('managers', 'users', 'guests',),
+    'update':    ('managers',),
+    }
+RO_REL_PERMS = {
+    'read':   ('managers', 'users', 'guests',),
+    'add':    (),
+    'delete': (),
+    }
+RO_ATTR_PERMS = {
+    'read':   ('managers', 'users', 'guests',),
+    'update': (),
+    }
+
 # XXX same algorithm as in reorder_cubes and probably other place,
 # may probably extract a generic function
 def order_eschemas(eschemas):
@@ -369,7 +395,8 @@
         if need_has_text is None:
             need_has_text = may_need_has_text
         if need_has_text and not has_has_text and not deletion:
-            rdef = ybo.RelationDefinition(self.type, 'has_text', 'String')
+            rdef = ybo.RelationDefinition(self.type, 'has_text', 'String',
+                                          __permissions__=RO_ATTR_PERMS)
             self.schema.add_relation_def(rdef)
         elif not need_has_text and has_has_text:
             self.schema.del_relation_def(self.type, 'has_text', 'String')
@@ -491,9 +518,11 @@
         if not eschema.final:
             # automatically add the eid relation to non final entity types
             rdef = ybo.RelationDefinition(eschema.type, 'eid', 'Int',
-                                          cardinality='11', uid=True)
+                                          cardinality='11', uid=True,
+                                          __permissions__=RO_ATTR_PERMS)
             self.add_relation_def(rdef)
-            rdef = ybo.RelationDefinition(eschema.type, 'identity', eschema.type)
+            rdef = ybo.RelationDefinition(eschema.type, 'identity', eschema.type,
+                                          __permissions__=RO_REL_PERMS)
             self.add_relation_def(rdef)
         self._eid_index[eschema.eid] = eschema
         return eschema
@@ -1054,8 +1083,16 @@
         cw = entity._cw
     elif form is not None:
         cw = form._cw
-    if cw is not None and cw.user.has_permission(PERM_USE_TEMPLATE_FORMAT):
-        return self.regular_formats + tuple(NEED_PERM_FORMATS)
+    if cw is not None:
+        if hasattr(cw, 'is_super_session'):
+            # cw is a server session
+            hasperm = cw.is_super_session or \
+                      not cw.vreg.config.is_hook_category_activated('integrity') or \
+                      cw.user.has_permission(PERM_USE_TEMPLATE_FORMAT)
+        else:
+            hasperm = cw.user.has_permission(PERM_USE_TEMPLATE_FORMAT)
+        if hasperm:
+            return self.regular_formats + tuple(NEED_PERM_FORMATS)
     return self.regular_formats
 
 # XXX monkey patch PyFileReader.import_erschema until bw_normalize_etype is
--- a/schemas/__init__.py	Wed Mar 03 14:06:05 2010 +0100
+++ b/schemas/__init__.py	Thu Mar 04 08:48:51 2010 +0100
@@ -1,38 +1,25 @@
 """some utilities to define schema permissions
 
 :organization: Logilab
-:copyright: 2008 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
+:copyright: 2008-2010 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
 :contact: http://www.logilab.fr/ -- mailto:contact@logilab.fr
 """
 __docformat__ = "restructuredtext en"
 
 from rql.utils import quote
-from cubicweb.schema import ERQLExpression, RRQLExpression
+from cubicweb.schema import RO_REL_PERMS, RO_ATTR_PERMS, \
+     PUB_SYSTEM_ENTITY_PERMS, PUB_SYSTEM_REL_PERMS, \
+     ERQLExpression, RRQLExpression
 
 # permissions for "meta" entity type (readable by anyone, can only be
 # added/deleted by managers)
-META_ETYPE_PERMS = {
-    'read':   ('managers', 'users', 'guests',),
-    'add':    ('managers',),
-    'delete': ('managers',),
-    'update': ('managers', 'owners',),
-    }
-
+META_ETYPE_PERMS = PUB_SYSTEM_ENTITY_PERMS # XXX deprecates
 # permissions for "meta" relation type (readable by anyone, can only be
 # added/deleted by managers)
-META_RTYPE_PERMS = {
-    'read':   ('managers', 'users', 'guests',),
-    'add':    ('managers',),
-    'delete': ('managers',),
-    }
-
+META_RTYPE_PERMS = PUB_SYSTEM_REL_PERMS # XXX deprecates
 # permissions for relation type that should only set by hooks using unsafe
 # execute, readable by anyone
-HOOKS_RTYPE_PERMS = {
-    'read':   ('managers', 'users', 'guests',),
-    'add':    (),
-    'delete': (),
-    }
+HOOKS_RTYPE_PERMS = RO_REL_PERMS # XXX deprecates
 
 def _perm(names):
     if isinstance(names, (list, tuple)):
--- a/schemas/base.py	Wed Mar 03 14:06:05 2010 +0100
+++ b/schemas/base.py	Thu Mar 04 08:48:51 2010 +0100
@@ -10,9 +10,9 @@
 
 from yams.buildobjs import (EntityType, RelationType, SubjectRelation,
                             String, Datetime, Password)
-from cubicweb.schema import (RQLConstraint, WorkflowableEntityType,
-                             ERQLExpression, RRQLExpression)
-from cubicweb.schemas import META_ETYPE_PERMS, META_RTYPE_PERMS
+from cubicweb.schema import (
+    RQLConstraint, WorkflowableEntityType, ERQLExpression, RRQLExpression,
+    PUB_SYSTEM_ENTITY_PERMS, PUB_SYSTEM_REL_PERMS, PUB_SYSTEM_ATTR_PERMS)
 
 class CWUser(WorkflowableEntityType):
     """define a CubicWeb user"""
@@ -85,7 +85,7 @@
 
 class in_group(RelationType):
     """core relation indicating a user's groups"""
-    __permissions__ = META_RTYPE_PERMS
+    __permissions__ = PUB_SYSTEM_REL_PERMS
 
 class owned_by(RelationType):
     """core relation indicating owners of an entity. This relation
@@ -118,18 +118,21 @@
 
 class creation_date(RelationType):
     """creation time of an entity"""
+    __permissions__ = PUB_SYSTEM_ATTR_PERMS
     cardinality = '11'
     subject = '*'
     object = 'Datetime'
 
 class modification_date(RelationType):
     """latest modification time of an entity"""
+    __permissions__ = PUB_SYSTEM_ATTR_PERMS
     cardinality = '11'
     subject = '*'
     object = 'Datetime'
 
 class cwuri(RelationType):
     """internal entity uri"""
+    __permissions__ = PUB_SYSTEM_ATTR_PERMS
     cardinality = '11'
     subject = '*'
     object = 'String'
@@ -155,7 +158,7 @@
 class CWPermission(EntityType):
     """entity type that may be used to construct some advanced security configuration
     """
-    __permissions__ = META_ETYPE_PERMS
+    __permissions__ = PUB_SYSTEM_ENTITY_PERMS
 
     name = String(required=True, indexed=True, internationalizable=True, maxsize=100,
                   description=_('name or identifier of the permission'))
@@ -170,11 +173,11 @@
     """link a permission to the entity. This permission should be used in the
     security definition of the entity's type to be useful.
     """
-    __permissions__ = META_RTYPE_PERMS
+    __permissions__ = PUB_SYSTEM_REL_PERMS
 
 class require_group(RelationType):
     """used to grant a permission to a group"""
-    __permissions__ = META_RTYPE_PERMS
+    __permissions__ = PUB_SYSTEM_REL_PERMS
 
 
 class ExternalUri(EntityType):
@@ -209,6 +212,8 @@
 
     Also, checkout the AppObject.get_cache() method.
     """
+    # XXX only handle by hooks, shouldn't be readable/editable at all through
+    # the ui and so no permissions should be granted, no?
     __permissions__ = {
         'read':   ('managers', 'users', 'guests'),
         'add':    ('managers',),
--- a/schemas/bootstrap.py	Wed Mar 03 14:06:05 2010 +0100
+++ b/schemas/bootstrap.py	Thu Mar 04 08:48:51 2010 +0100
@@ -10,14 +10,16 @@
 
 from yams.buildobjs import (EntityType, RelationType, RelationDefinition,
                             SubjectRelation, RichString, String, Boolean, Int)
-from cubicweb.schema import RQLConstraint
-from cubicweb.schemas import META_ETYPE_PERMS, META_RTYPE_PERMS
+from cubicweb.schema import (
+    RQLConstraint,
+    PUB_SYSTEM_ENTITY_PERMS, PUB_SYSTEM_REL_PERMS, PUB_SYSTEM_ATTR_PERMS
+    )
 
 # not restricted since as "is" is handled as other relations, guests need
 # access to this
 class CWEType(EntityType):
     """define an entity type, used to build the instance schema"""
-    __permissions__ = META_ETYPE_PERMS
+    __permissions__ = PUB_SYSTEM_ENTITY_PERMS
     name = String(required=True, indexed=True, internationalizable=True,
                   unique=True, maxsize=64)
     description = RichString(internationalizable=True,
@@ -28,7 +30,7 @@
 
 class CWRType(EntityType):
     """define a relation type, used to build the instance schema"""
-    __permissions__ = META_ETYPE_PERMS
+    __permissions__ = PUB_SYSTEM_ENTITY_PERMS
     name = String(required=True, indexed=True, internationalizable=True,
                   unique=True, maxsize=64)
     description = RichString(internationalizable=True,
@@ -48,7 +50,7 @@
 
     used to build the instance schema
     """
-    __permissions__ = META_ETYPE_PERMS
+    __permissions__ = PUB_SYSTEM_ENTITY_PERMS
     relation_type = SubjectRelation('CWRType', cardinality='1*',
                                     constraints=[RQLConstraint('O final TRUE')],
                                     composite='object')
@@ -85,7 +87,7 @@
 
     used to build the instance schema
     """
-    __permissions__ = META_ETYPE_PERMS
+    __permissions__ = PUB_SYSTEM_ENTITY_PERMS
     relation_type = SubjectRelation('CWRType', cardinality='1*',
                                     constraints=[RQLConstraint('O final FALSE')],
                                     composite='object')
@@ -116,7 +118,7 @@
 # not restricted since it has to be read when checking allowed transitions
 class RQLExpression(EntityType):
     """define a rql expression used to define permissions"""
-    __permissions__ = META_ETYPE_PERMS
+    __permissions__ = PUB_SYSTEM_ENTITY_PERMS
     exprtype = String(required=True, vocabulary=['ERQLExpression', 'RRQLExpression'])
     mainvars = String(maxsize=8,
                       description=_('name of the main variables which should be '
@@ -134,14 +136,14 @@
 
 class CWConstraint(EntityType):
     """define a schema constraint"""
-    __permissions__ = META_ETYPE_PERMS
+    __permissions__ = PUB_SYSTEM_ENTITY_PERMS
     cstrtype = SubjectRelation('CWConstraintType', cardinality='1*')
     value = String(description=_('depends on the constraint type'))
 
 
 class CWConstraintType(EntityType):
     """define a schema constraint type"""
-    __permissions__ = META_ETYPE_PERMS
+    __permissions__ = PUB_SYSTEM_ENTITY_PERMS
     name = String(required=True, indexed=True, internationalizable=True,
                   unique=True, maxsize=64)
 
@@ -149,7 +151,7 @@
 # not restricted since it has to be read when checking allowed transitions
 class CWGroup(EntityType):
     """define a CubicWeb users group"""
-    __permissions__ = META_ETYPE_PERMS
+    __permissions__ = PUB_SYSTEM_ENTITY_PERMS
     name = String(required=True, indexed=True, internationalizable=True,
                   unique=True, maxsize=64)
 
@@ -173,32 +175,32 @@
 
 class relation_type(RelationType):
     """link a relation definition to its relation type"""
-    __permissions__ = META_RTYPE_PERMS
+    __permissions__ = PUB_SYSTEM_REL_PERMS
     inlined = True
 
 class from_entity(RelationType):
     """link a relation definition to its subject entity type"""
-    __permissions__ = META_RTYPE_PERMS
+    __permissions__ = PUB_SYSTEM_REL_PERMS
     inlined = True
 
 class to_entity(RelationType):
     """link a relation definition to its object entity type"""
-    __permissions__ = META_RTYPE_PERMS
+    __permissions__ = PUB_SYSTEM_REL_PERMS
     inlined = True
 
 class constrained_by(RelationType):
     """constraints applying on this relation"""
-    __permissions__ = META_RTYPE_PERMS
+    __permissions__ = PUB_SYSTEM_REL_PERMS
 
 class cstrtype(RelationType):
     """constraint factory"""
-    __permissions__ = META_RTYPE_PERMS
+    __permissions__ = PUB_SYSTEM_REL_PERMS
     inlined = True
 
 
 class read_permission_cwgroup(RelationDefinition):
     """groups allowed to read entities/relations of this type"""
-    __permissions__ = META_RTYPE_PERMS
+    __permissions__ = PUB_SYSTEM_REL_PERMS
     name = 'read_permission'
     subject = ('CWEType', 'CWAttribute', 'CWRelation')
     object = 'CWGroup'
@@ -206,7 +208,7 @@
 
 class add_permission_cwgroup(RelationDefinition):
     """groups allowed to add entities/relations of this type"""
-    __permissions__ = META_RTYPE_PERMS
+    __permissions__ = PUB_SYSTEM_REL_PERMS
     name = 'add_permission'
     subject = ('CWEType', 'CWRelation')
     object = 'CWGroup'
@@ -214,7 +216,7 @@
 
 class delete_permission_cwgroup(RelationDefinition):
     """groups allowed to delete entities/relations of this type"""
-    __permissions__ = META_RTYPE_PERMS
+    __permissions__ = PUB_SYSTEM_REL_PERMS
     name = 'delete_permission'
     subject = ('CWEType', 'CWRelation')
     object = 'CWGroup'
@@ -222,7 +224,7 @@
 
 class update_permission_cwgroup(RelationDefinition):
     """groups allowed to update entities/relations of this type"""
-    __permissions__ = META_RTYPE_PERMS
+    __permissions__ = PUB_SYSTEM_REL_PERMS
     name = 'update_permission'
     subject = ('CWEType', 'CWAttribute')
     object = 'CWGroup'
@@ -230,7 +232,7 @@
 
 class read_permission_rqlexpr(RelationDefinition):
     """rql expression allowing to read entities/relations of this type"""
-    __permissions__ = META_RTYPE_PERMS
+    __permissions__ = PUB_SYSTEM_REL_PERMS
     name = 'read_permission'
     subject = ('CWEType', 'CWAttribute', 'CWRelation')
     object = 'RQLExpression'
@@ -239,7 +241,7 @@
 
 class add_permission_rqlexpr(RelationDefinition):
     """rql expression allowing to add entities/relations of this type"""
-    __permissions__ = META_RTYPE_PERMS
+    __permissions__ = PUB_SYSTEM_REL_PERMS
     name = 'add_permission'
     subject = ('CWEType', 'CWRelation')
     object = 'RQLExpression'
@@ -248,7 +250,7 @@
 
 class delete_permission_rqlexpr(RelationDefinition):
     """rql expression allowing to delete entities/relations of this type"""
-    __permissions__ = META_RTYPE_PERMS
+    __permissions__ = PUB_SYSTEM_REL_PERMS
     name = 'delete_permission'
     subject = ('CWEType', 'CWRelation')
     object = 'RQLExpression'
@@ -257,7 +259,7 @@
 
 class update_permission_rqlexpr(RelationDefinition):
     """rql expression allowing to update entities/relations of this type"""
-    __permissions__ = META_RTYPE_PERMS
+    __permissions__ = PUB_SYSTEM_REL_PERMS
     name = 'update_permission'
     subject = ('CWEType', 'CWAttribute')
     object = 'RQLExpression'
@@ -305,3 +307,13 @@
     cardinality = '?*'
     subject = 'CWEType'
     object = 'CWEType'
+
+def post_build_callback(schema):
+    """set attributes permissions for schema/workflow entities"""
+    from cubicweb.schema import SCHEMA_TYPES, WORKFLOW_TYPES, META_RTYPES
+    for eschema in schema.entities():
+        if eschema in SCHEMA_TYPES or eschema in WORKFLOW_TYPES:
+            for rschema in eschema.subject_relations():
+                if rschema.final and not rschema in META_RTYPES:
+                    rdef = eschema.rdef(rschema)
+                    rdef.permissions = PUB_SYSTEM_ATTR_PERMS
--- a/server/__init__.py	Wed Mar 03 14:06:05 2010 +0100
+++ b/server/__init__.py	Thu Mar 04 08:48:51 2010 +0100
@@ -186,6 +186,7 @@
     handler.install_custom_sql_scripts(join(CW_SOFTWARE_ROOT, 'schemas'), driver)
     for directory in reversed(config.cubes_path()):
         handler.install_custom_sql_scripts(join(directory, 'schema'), driver)
+    # serialize the schema
     initialize_schema(config, schema, handler)
     # yoo !
     cnx.commit()
--- a/server/querier.py	Wed Mar 03 14:06:05 2010 +0100
+++ b/server/querier.py	Thu Mar 04 08:48:51 2010 +0100
@@ -358,6 +358,7 @@
         self.preprocess(rqlst, security=False)
         return rqlst
 
+
 class InsertPlan(ExecutionPlan):
     """an execution model specific to the INSERT rql query
     """
--- a/server/repository.py	Wed Mar 03 14:06:05 2010 +0100
+++ b/server/repository.py	Thu Mar 04 08:48:51 2010 +0100
@@ -105,7 +105,8 @@
     #     skip that for super session (though we can still skip it for internal
     #     sessions). Also we should imo rely on the orm to first fetch existing
     #     entity if any then delete it.
-    if session.is_internal_session:
+    if session.is_internal_session \
+           or not session.vreg.config.is_hook_category_activated('integrity'):
         return
     card = session.schema_rproperty(rtype, eidfrom, eidto, 'cardinality')
     # one may be tented to check for neweids but this may cause more than one
--- a/server/schemaserial.py	Wed Mar 03 14:06:05 2010 +0100
+++ b/server/schemaserial.py	Thu Mar 04 08:48:51 2010 +0100
@@ -51,10 +51,6 @@
     return res
 
 # schema / perms deserialization ##############################################
-OLD_SCHEMA_TYPES = frozenset(('EFRDef', 'ENFRDef', 'ERType', 'EEType',
-                              'EConstraintType', 'EConstraint', 'EGroup',
-                              'EUser', 'ECache', 'EPermission', 'EProperty'))
-
 def deserialize_schema(schema, session):
     """return a schema according to information stored in an rql database
     as CWRType and CWEType entities
@@ -90,12 +86,6 @@
                                {'x': eid, 'n': netype})
             session.system_sql('UPDATE entities SET type=%(n)s WHERE type=%(x)s',
                                {'x': etype, 'n': netype})
-            # XXX should be donne as well on sqlite based sources
-            if not etype in OLD_SCHEMA_TYPES and \
-               (getattr(dbhelper, 'case_sensitive', False)
-                or etype.lower() != netype.lower()):
-                session.system_sql('ALTER TABLE %s%s RENAME TO %s%s' % (
-                    sqlutils.SQL_PREFIX, etype, sqlutils.SQL_PREFIX, netype))
             session.commit(False)
             try:
                 session.system_sql('UPDATE deleted_entities SET type=%(n)s WHERE type=%(x)s',
@@ -182,6 +172,17 @@
             res.setdefault(eid, {}).setdefault(action, []).append( (expr, mainvars, expreid) )
     return res
 
+def deserialize_rdef_constraints(session):
+    """return the list of relation definition's constraints as instances"""
+    res = {}
+    for rdefeid, ceid, ct, val in session.execute(
+        'Any E, X,TN,V WHERE E constrained_by X, X is CWConstraint, '
+        'X cstrtype T, T name TN, X value V', build_descr=False):
+        cstr = CONSTRAINTS[ct].deserialize(val)
+        cstr.eid = ceid
+        res.setdefault(rdefeid, []).append(cstr)
+    return res
+
 def set_perms(erschema, permsdict):
     """set permissions on the given erschema according to the permission
     definition dictionary as built by deserialize_ertype_permissions for a
@@ -202,21 +203,9 @@
             for p in somethings)
 
 
-def deserialize_rdef_constraints(session):
-    """return the list of relation definition's constraints as instances"""
-    res = {}
-    for rdefeid, ceid, ct, val in session.execute(
-        'Any E, X,TN,V WHERE E constrained_by X, X is CWConstraint, '
-        'X cstrtype T, T name TN, X value V', build_descr=False):
-        cstr = CONSTRAINTS[ct].deserialize(val)
-        cstr.eid = ceid
-        res.setdefault(rdefeid, []).append(cstr)
-    return res
-
-
 # schema / perms serialization ################################################
 
-def serialize_schema(cursor, schema, verbose=False):
+def serialize_schema(cursor, schema):
     """synchronize schema and permissions in the database according to
     current schema
     """
@@ -224,38 +213,40 @@
     if not quiet:
         _title = '-> storing the schema in the database '
         print _title,
-    execute = cursor.execute
+    execute = cursor.unsafe_execute
     eschemas = schema.entities()
     aller = eschemas + schema.relations()
-    if not verbose and not quiet:
+    if not quiet:
         pb_size = len(aller) + len(CONSTRAINTS) + len([x for x in eschemas if x.specializes()])
         pb = ProgressBar(pb_size, title=_title)
     else:
         pb = None
+    # serialize all entity types, assuring CWEType is serialized first
+    eschemas.remove(schema.eschema('CWEType'))
+    eschemas.insert(0, schema.eschema('CWEType'))
+    for eschema in eschemas:
+        execschemarql(execute, eschema, eschema2rql(eschema, groupmap))
+        if pb is not None:
+            pb.update()
+    # serialize constraint types
     rql = 'INSERT CWConstraintType X: X name %(ct)s'
     for cstrtype in CONSTRAINTS:
-        if verbose:
-            print rql
         execute(rql, {'ct': unicode(cstrtype)}, build_descr=False)
         if pb is not None:
             pb.update()
-    groupmap = group_mapping(cursor, interactive=False)
-    for ertype in aller:
-        # skip eid and has_text relations
-        if ertype in VIRTUAL_RTYPES:
+    # serialize relations
+    for rschema in schema.relations():
+        # skip virtual relations such as eid, has_text and identity
+        if rschema in VIRTUAL_RTYPES:
             if pb is not None:
                 pb.update()
             continue
         for rql, kwargs in erschema2rql(schema[ertype], groupmap):
-            if verbose:
-                print rql % kwargs
             execute(rql, kwargs, build_descr=False)
         if pb is not None:
             pb.update()
     for rql, kwargs in specialize2rql(schema):
-        if verbose:
-            print rql % kwargs
-        execute(rql, kwargs, build_descr=False)
+        assert execute(rql, kwargs, build_descr=False)
         if pb is not None:
             pb.update()
     if not quiet:
--- a/server/serverconfig.py	Wed Mar 03 14:06:05 2010 +0100
+++ b/server/serverconfig.py	Thu Mar 04 08:48:51 2010 +0100
@@ -185,6 +185,8 @@
     # check user's state at login time
     consider_user_state = True
 
+    # XXX hooks control stuff should probably be on the session, not on the config
+
     # hooks activation configuration
     # all hooks should be activated during normal execution
     disabled_hooks_categories = set()
@@ -232,9 +234,13 @@
 
     @classmethod
     def is_hook_activated(cls, hook):
+        return cls.is_hook_category_activated(hook.category)
+
+    @classmethod
+    def is_hook_category_activated(cls, category):
         if cls.hooks_mode is cls.DENY_ALL:
-            return hook.category in cls.enabled_hooks_categories
-        return hook.category not in cls.disabled_hooks_categories
+            return category in cls.enabled_hooks_categories
+        return category not in cls.disabled_hooks_categories
 
     # should some hooks be deactivated during [pre|post]create script execution
     free_wheel = False
--- a/server/session.py	Wed Mar 03 14:06:05 2010 +0100
+++ b/server/session.py	Thu Mar 04 08:48:51 2010 +0100
@@ -499,7 +499,7 @@
                         operation.handle_event('revert%s_event' % trstate)
                     # XXX use slice notation since self.pending_operations is a
                     # read-only property.
-                    self.pending_operations[:] = processed + self.pending_operations 
+                    self.pending_operations[:] = processed + self.pending_operations
                     self.rollback(reset_pool)
                     raise
             self.pool.commit()
--- a/server/test/unittest_querier.py	Wed Mar 03 14:06:05 2010 +0100
+++ b/server/test/unittest_querier.py	Thu Mar 04 08:48:51 2010 +0100
@@ -257,7 +257,7 @@
         result, descr = rset.rows, rset.description
         self.assertEquals(descr[0][0], 'String')
         self.assertEquals(descr[0][1], 'Int')
-        self.assertEquals(result[0][0], 'RQLExpression') # XXX may change as schema evolve
+        self.assertEquals(result[0][0], 'CWRelation') # XXX may change as schema evolve
 
     def test_select_groupby_orderby(self):
         rset = self.execute('Any N GROUPBY N ORDERBY N WHERE X is CWGroup, X name N')
@@ -862,6 +862,14 @@
         self.assert_(rset.rows)
         self.assertEquals(rset.description, [('Personne', 'Societe',)])
 
+    def test_insert_5bis(self):
+        peid = self.execute("INSERT Personne X: X nom 'bidule'")[0][0]
+        self.execute("INSERT Societe Y: Y nom 'toto', X travaille Y WHERE X eid %(x)s",
+                     {'x': peid}, 'x')
+        rset = self.execute('Any X, Y WHERE X nom "bidule", Y nom "toto", X travaille Y')
+        self.assert_(rset.rows)
+        self.assertEquals(rset.description, [('Personne', 'Societe',)])
+
     def test_insert_6(self):
         self.execute("INSERT Personne X, Societe Y: X nom 'bidule', Y nom 'toto', X travaille Y")
         rset = self.execute('Any X, Y WHERE X nom "bidule", Y nom "toto", X travaille Y')
--- a/server/test/unittest_security.py	Wed Mar 03 14:06:05 2010 +0100
+++ b/server/test/unittest_security.py	Thu Mar 04 08:48:51 2010 +0100
@@ -257,6 +257,26 @@
         self.assertEquals(rset.rows, [[aff2]])
         rset = cu.execute('Affaire X WHERE NOT X eid %(x)s', {'x': aff2}, 'x')
         self.assertEquals(rset.rows, [])
+        # test can't update an attribute of an entity that can't be readen
+        self.assertRaises(Unauthorized, cu.execute, 'SET X sujet "hacked" WHERE X eid %(x)s', {'x': eid}, 'x')
+
+
+    def test_entity_created_in_transaction(self):
+        affschema = self.schema['Affaire']
+        origperms = affschema.permissions['read']
+        affschema.set_action_permissions('read', affschema.permissions['add'])
+        try:
+            cnx = self.login('iaminusersgrouponly')
+            cu = cnx.cursor()
+            aff2 = cu.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
+            # entity created in transaction are readable *by eid*
+            self.failUnless(cu.execute('Any X WHERE X eid %(x)s', {'x':aff2}, 'x'))
+            # XXX would be nice if it worked
+            rset = cu.execute("Affaire X WHERE X sujet 'cool'")
+            self.assertEquals(len(rset), 0)
+        finally:
+            affschema.set_action_permissions('read', origperms)
+            cnx.close()
 
     def test_read_erqlexpr_has_text1(self):
         aff1 = self.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
--- a/web/test/unittest_views_editforms.py	Wed Mar 03 14:06:05 2010 +0100
+++ b/web/test/unittest_views_editforms.py	Thu Mar 04 08:48:51 2010 +0100
@@ -43,13 +43,11 @@
                            ('firstname', 'subject'),
                            ('surname', 'subject'),
                            ('in_group', 'subject'),
-                           ('eid', 'subject'),
                            ])
         self.assertListEquals(rbc(e, 'muledit', 'attributes'),
                               [('login', 'subject'),
                                ('upassword', 'subject'),
                                ('in_group', 'subject'),
-                               ('eid', 'subject'),
                                ])
         self.assertListEquals(rbc(e, 'main', 'metadata'),
                               [('last_login_time', 'subject'),
@@ -76,13 +74,10 @@
         # owned_by is defined both as subject and object relations on CWUser
         self.assertListEquals(sorted(x for x in rbc(e, 'main', 'hidden')
                                      if x != ('tags', 'object')),
-                              sorted([('has_text', 'subject'),
-                                      ('identity', 'subject'),
-                                      ('for_user', 'object'),
+                              sorted([('for_user', 'object'),
                                       ('created_by', 'object'),
                                       ('wf_info_for', 'object'),
                                       ('owned_by', 'object'),
-                                      ('identity', 'object'),
                                       ]))
 
     def test_inlined_view(self):
@@ -106,11 +101,9 @@
                                ('test', 'subject'),
                                ('description', 'subject'),
                                ('salary', 'subject'),
-                               ('eid', 'subject')
                                ])
         self.assertListEquals(rbc(e, 'muledit', 'attributes'),
                               [('nom', 'subject'),
-                               ('eid', 'subject')
                                ])
         self.assertListEquals(rbc(e, 'main', 'metadata'),
                               [('creation_date', 'subject'),
@@ -124,10 +117,7 @@
                                ('connait', 'object')
                                ])
         self.assertListEquals(rbc(e, 'main', 'hidden'),
-                              [('has_text', 'subject'),
-                               ('identity', 'subject'),
-                               ('identity', 'object'),
-                               ])
+                              [])
 
     def test_edition_form(self):
         rset = self.execute('CWUser X LIMIT 1')
--- a/web/views/autoform.py	Wed Mar 03 14:06:05 2010 +0100
+++ b/web/views/autoform.py	Thu Mar 04 08:48:51 2010 +0100
@@ -661,7 +661,7 @@
             return []
         # XXX we should simply put eid in the generated section, no?
         return [(rtype, role) for rtype, _, role in self._relations_by_section(
-            'attributes', 'update', strict) if rtype != 'eid']
+            'attributes', 'update', strict)]
 
     def editable_relations(self):
         """return a sorted list of (relation's label, relation'schema, role) for