[Cubicweb] attributes security

Sylvain Thénault sylvain.thenault at logilab.fr
Tue Feb 18 12:00:54 CET 2014


Hi there,

I would like to talk about https://www.cubicweb.org/ticket/2932033 and its
associated patch https://www.cubicweb.org/patch/2932373. This has been
introduced in 3.18 by supposing there was no real life example where double
checking attributes was useful, but we've actually found one.

In the "collaboration" cube, a "frozen" attribute is used to tell if one may or
may not modify an entity. When this attribute is modified, it triggers hook that
will add/remove 'can_read' / 'can_write' relations.

The pb is that when setting frozen to True, the permissions checking now occurs
after the can_write relation has been deleted, hence raise Unauthorized. This
used to work in cubicweb 3.17.

As I proposed in the original ticket, I think we should, similarly to relation,
provide a way to control when attribute permissions are checked. If you agree
with that, we'll want to think about a proper api because current sets are not
really satisfying... If you've another idea, please let me know.

-- 
Sylvain Thénault, LOGILAB, Paris (01.45.32.03.12) - Toulouse (05.62.17.16.42)
Formations Python, Debian, Méth. Agiles: http://www.logilab.fr/formations
Développement logiciel sur mesure:       http://www.logilab.fr/services
CubicWeb, the semantic web framework:    http://www.cubicweb.org



More information about the Cubicweb mailing list