[Cubicweb] RRQLExpression and ERQLExpression

Jinpeng Li mr.li.jinpeng at gmail.com
Tue Apr 15 14:26:36 CEST 2014


Hi all,


I have some feedback considering RRQLExpression and ERQLExpression.


# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# # # # # # # # # #

# Goal

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# # # # # # # # # #


I have a simple schema definition as below:


```

class Study(EntityType):

""" The project """

    name = String(required=True, indexed=True, maxsize=256)

```


The goal is that different user groups can have different access right to
this entity data.


For example, I have 3 study entities:


rql = 'Insert Study ST: ST name "MEMENTO"'

session.execute(rql)

rql = 'Insert Study ST: ST name "other1"'

session.execute(rql)

rql = 'Insert Study ST: ST name "other2"'

session.execute(rql)


In addition, I have two user groups ("mementousers", "otherusers"). I only
allow the users from the user group "mementousers" to visit the study with
name "MEMENTO", and vice versa.


It seems it can be accomplished by RRQLExpression and ERQLExpression as the
below url shown:


http://docs.cubicweb.org/devrepo/datamodel/definition.html


RRQLExpression and ERQLExpression are a good solution to solve this
problem. However, I failed to find a solution. If I am wrong, please
correct me.


# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# # # # # # # # # #

# Case 1

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# # # # # # # # # #


I create two relations for the permission in the schema:

```

class can_read(RelationDefinition):

    subject = 'CWGroup'

    object = 'Study'

    cardinality = '**'


class can_modify(RelationDefinition):

    subject = 'CWGroup'

    object = 'Study'

    cardinality = '**'


STUDY_PERMISSIONS = {

'read': ('managers', ERQLExpression('U in_group G, G can_read X')),

'add': ('managers', ERQLExpression('U in_group G, G can_modify X')),

'update': ('managers', ERQLExpression('U in_group G, G can_modify X')),

'delete': ('managers', ERQLExpression('U in_group G, G can_modify X')),

}


Study.__permissions__ = STUDY_PERMISSIONS

```


I create some test data as well:


```

rql = 'Insert Study X: X name "MEMENTO"'

session.execute(rql)

rql = 'Insert Study ST: ST name "other1"'

session.execute(rql)

rql = 'Insert Study ST: ST name "other2"'

session.execute(rql)

rql = 'Insert CWGroup G: G name "mementousers"'

session.execute(rql)

rql = 'Set G can_read ST where G name "mementousers", ST name "MEMENTO"'

session.execute(rql)

```


With web interface, I create a user (login="m_user", password="123456") in
the group "mementousers"  .

Then I try connect the server with the user "m_user". I can search only the
study eid, and fail to search study name.

This example is shown as below:


```

>>> import cubicweb.dbapi

>>> url = "zmqpickle-tcp://127.0.0.1:9093"

>>> cnx = cubicweb.dbapi.connect( url, login="m_user", password="123456" )

>>> cursor = cnx.cursor()
>>> rql = "Any X where X is Study"
>>> ret = cursor.execute(rql) # excellent, I can find eid.
>>> ret.rows
[[765]]
>>> rql = "Any N where X is Study, X name N"
>>> cursor.execute(rql)
cubicweb._exceptions.Unauthorized: remove {'X': 'Study', 'N': 'String'}
from solutions since m_user has no read access to name
```

As shown from this error, I can say that the name has its permission. In
other words, the attribute name doesn't inherit the permission from Study.
I need to add this permission for the name the case 2.

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# # # # # # # # # #

# Case 2

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# # # # # # # # # #

I added new permission definitions:

```
RELATION_PERMISSIONS = {
    'read': ('managers', 'guests', RRQLExpression('U in_group G, G can_read
S')),
    'update': ('managers',),
}

Study.get_relation("name").__permissions__ = RELATION_PERMISSIONS
```

I create a new instance with error message:
```
yams._exceptions.BadSchemaDefinition: can't use rql expression for read
permission of attribute Study.name[String]
```

I cannot use rql expression with Study.name[String]. I try ERQLExpression
as well, and I get the same error.

Therefore, I try with usual user groups in Case 3

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# # # # # # # # # #

# Case 3

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# # # # # # # # # #

I move the create user group script to precreate.py

```

rql = 'Insert CWGroup G: G name "mementousers"'

session.execute(rql)
```

I change the permission as below:

```
STUDY_PERMISSIONS = {
    'read': ('managers', 'mementousers'),
    'add': ('managers', ),
    'update': ('managers', ),
    'delete': ('managers', ),
}

Study.__permissions__ = STUDY_PERMISSIONS

RELATION_PERMISSIONS = {
    'read': ('managers', "mementousers"),
    'update': ('managers', )
}

Study.get_relation("name").__permissions__ = RELATION_PERMISSIONS
```

Finally I got the Study.name
```
>>> import cubicweb.dbapi

>>> url = "zmqpickle-tcp://127.0.0.1:9093"

>>> cnx = cubicweb.dbapi.connect( url, login="m_user", password="123456" )

>>> cursor = cnx.cursor()
>>> rql = "Any X where X is Study"
>>> ret = cursor.execute(rql)
>>> ret.rows  # I can visit all the data. It is out of controlled.
[[760], [761], [762]]
>>> rql = "Any N where X is Study, X name N"
>>> ret = cursor.execute(rql)
>>> ret.rows # I can visit all the data. It is out of controlled.
[[u'MEMENTO'], [u'other1'], [u'other2']]
```

It can be controlled by predefined user group with all the data in the
entity Study. However, I cannot implement my goal with each user group only
can visit their own data.

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# # # # # # # # # #
# Conclusion
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# # # # # # # # # #

1: Study.name doesn't inherit permissions from Study
2: Study.get_relation("name").__permissions__ cannot use neither
RRQLExpression nor ERQLExpression.

Again, please correct me if I am wrong. Thanks in advance if any one has
any solution.

Best,
Jinpeng
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cubicweb.org/pipermail/cubicweb/attachments/20140415/9c1d7ded/attachment-0049.html>


More information about the Cubicweb mailing list