[Cubicweb] RRQLExpression and ERQLExpression

Sylvain Thénault sylvain.thenault at logilab.fr
Tue Apr 15 18:02:15 CEST 2014


On 15 avril 17:44, Jinpeng Li wrote:
> On Tue, Apr 15, 2014 at 4:35 PM, Sylvain Thénault <
> sylvain.thenault at logilab.fr> wrote:
> 
> > On 15 avril 16:02, mr.li.jinpeng at gmail.com wrote:
> > > On 04/15/2014 03:23 PM, Sylvain Thénault wrote:
> > > >On 15 avril 14:26, Jinpeng Li wrote:
> > > >your case #1 should be the right way to do this.
> > > >
> > > >>1: Study.name doesn't inherit permissions from Study
> > > >there is the problem. Which cubicweb/yams version are you using?
> > > >What's the result of `schema['Study'].rdef('name').permissions`?
> > > This is from case #1:
> > >
> > > # cubicweb-ctl shell test_permission
> > >
> > > >>> import cubicweb
> > > >>> print cubicweb.__version__
> > > 3.18.4
> > > >>> import yams
> > > >>> print(yams.__version__)
> > > 0.39.1
> > > >>> print(schema['Study'].rdef('name').permissions)
> > > {'read': (u'managers', u'users', u'guests'), 'add': (u'managers',
> > > ERQLExpression(Any X WHERE U has_add_permission X, X eid %(x)s, U
> > > eid %(u)s)), 'update': (u'managers', ERQLExpression(Any X WHERE U
> > > has_update_permission X, X eid %(x)s, U eid %(u)s))}
> >
> > I get it: the problem is that all users should be in the 'users' group
> > else you
> > go into such weirdness. There are currently some thinking about that, but
> > until
> > a better day you'll need this. Take a look at the above (default) attribute
> > permissions, this is quite instructive.
> >
> 
> Good, it works well for the user "m_user" with  when I added "m_user" into
> the "users" group. I can read Study.name now.
> 
> However, it leads to another issue by default. I can sniff other
> information, for example all the logins, and emails:
> 
> >>> rql = "Any LG where X is CWUser, X login LG"
> >>> cursor.execute(rql)
> <resultset 'Any LG where X is CWUser, X login LG' (3 rows):
> [u'admin'] (('String',))
> [u'm_user'] (('String',))
> [u'm_user2'] (('String',))>
> >>> rql = "Any LG, E where X is CWUser, X login LG, X use_email E"
> >>> cursor.execute(rql)
> <resultset 'Any LG, E where X is CWUser, X login LG, X use_email E' (1
> rows): [u'm_user', 771] (('String', 'EmailAddress'))>
> 
> I can read a lot of other information from the system. From this point, I
> don't know if it is a good idea that "all users should be in the 'users'
> group".

it is the default setting to allow users to see other users information. You may
want to change that. Or to change default attribute permissions.
-- 
Sylvain Thénault, LOGILAB, Paris (01.45.32.03.12) - Toulouse (05.62.17.16.42)
Formations Python, Debian, Méth. Agiles: http://www.logilab.fr/formations
Développement logiciel sur mesure:       http://www.logilab.fr/services
CubicWeb, the semantic web framework:    http://www.cubicweb.org



More information about the Cubicweb mailing list