[Cubicweb] Dynamic security permission

Sylvain Thénault sylvain.thenault at logilab.fr
Thu Sep 19 07:34:06 CEST 2013

On 18 septembre 16:08, Lourdes Campos wrote:
> Hi List,

> I am Lourdes Campos, from Mexico.
> We are using CubicWeb (introduced by CreaLibre) for an internal project at
> my Company.

great! Welcome te the list.
> I'm trying to define dynamic security permission, so that users can create
> a relation only if they can Update the current entity AND Read the other
> one, regardless of which one is the Subject or Object in the relation.
> So far, I have this in the permission definition:
> RRQLExpression('U has_update_permission S')
> but it assumes that l'm Updating the S.(not the Object)
> How could I make this work, leaving roles aside? Thanks for your time.

I'm not sure to understand your question. You don't have anything to do to check
the 'read' permission (if you can't read an entity, you'll have no way to add a
relation from/to it). If you want update permission either on the subject or the
object, you can use several expression, e.g.: 

 'add': ('managers', RRQLExpression('U has_update_permission S'),
         RRQLExpression('U has_update_permission O')),

Does that help?
Sylvain Thénault, LOGILAB, Paris ( - Toulouse (
Formations Python, Debian, Méth. Agiles: http://www.logilab.fr/formations
Développement logiciel sur mesure:       http://www.logilab.fr/services
CubicWeb, the semantic web framework:    http://www.cubicweb.org

More information about the Cubicweb mailing list