[Cubicweb] ERQLExpression for update and delete permissions

Carlos Balderas carlos.balderas at gmail.com
Thu Sep 30 06:18:12 CEST 2010


On Wed, Sep 29, 2010 at 4:50 AM, Sylvain Thénault <
sylvain.thenault at logilab.fr> wrote:

> On 28 septembre 23:21, Carlos Balderas wrote:
> > Syt, I am sending you the cube with some test you can run, but I think I
> > found where most of the time is consuming.
> >
> > It seems to be at the moment of calling "publish" method in class
> > ViewController (cubicweb/web/views/basecontrollers.py)
> >
> > to be more precise at the moment to execute line 122
> >
> > return self._cw.vreg['views'].main_template(self._cw, template,
> >                                                 rset=rset, view=view)
> >
> > I went tracking until I got to this point, and more than 8 seconds are
> spent
> > here. (for my tests)
>
> well, this is the main ui entry point, all the html is  generated beyond
> this point.
>
> > I am sorry for not going beyond this point, I got a little lost here
> since I
> > just starting to understand a little this part of cubicweb.
> >
> > I think the ERQLExpression might be causing several validations here in
> some
> > way that make time consuming, not that I can be sure, but if I use a
> normal
> > users group like 'users', 'managers', etc to asign: read, update, add,
> > delete permissions, cw displays all results very fast.
>
> a quick test using your cube showed me that the problem lies in permission
> checking done for action of the 'actions' box: each entity in the result
> set is checked to see if the user has the 'update' and 'delete' permission
> on it (for respectivly the 'modify' and 'delete' actions). I'm afraid we
> can't do that much about it. The proper solution would probably be to
> have an api to test if a permission is granted on a whole rset, instead of
> processing entities one by one. Would you add a ticket for this?
>

Ticket #1262362

>
> Now notice this only occurs becore your *main* rset has 2000 entities, with
> one rql expr for update/delete, and user is no group permission. One quick
> fix would be to modify selector of the modify and delete actions so they
> simply return 0 if the rset is greater than, say, 100 entities.
>

Yes, the security model for this application needed dynamic permissions,
which is a great cubicweb feature by the way.

I will check your suggested solution, thank you.

Carlos Balderas


>
> --
> Sylvain Thénault                               LOGILAB, Paris (France)
> Formations Python, Debian, Méth. Agiles: http://www.logilab.fr/formations
> Développement logiciel sur mesure:       http://www.logilab.fr/services
> CubicWeb, the semantic web framework:    http://www.cubicweb.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cubicweb.org/pipermail/cubicweb/attachments/20100929/6d2f9e2c/attachment-0127.html>


More information about the Cubicweb mailing list