[Cubicweb] How to customize permissions on relations ?

Yann Cointepas yann at cointepas.net
Tue Jan 7 15:32:59 CET 2014


If I have access to the RelationDefinition derived class, can I reach the
RelationType and modify the permission there ?

I will not use comment in my cube, I could just skip it. But I cannot use
try/catch in schema.py because the error is raised later (unless I am
wrong). Can I detect relation definition with permissions customized on
relation type ?

Before posting my question, I searched internet with the error message and
found a piece of code (not working) where set_permissions had a reset=True
parameter. Could it be a solution to allow a user to say : "I really want
to override permissions" ?

Yann Cointepas            Tel: +33 1 69 08 78 31
CEA - Neurospin           Fax: +33 1 69 08 79 80
Bâtiment 145, Point Courrier 156
91191 Gif-sur-Yvette cedex, France


On Tue, Jan 7, 2014 at 3:16 PM, Aurélien Campéas <
aurelien.campeas at logilab.fr> wrote:

> Hello,
>
> On 07/01/2014 14:54, Yann Cointepas wrote:
> > I am trying to define permissions for all entities and relations used in
> > a cube. At the end of schema.py of my cube I import all the
> > entities/relations I use and call set_permissions on them. It works for
> > entities but on relations, Cubicweb complains :
> >
> > yams._exceptions.BadSchemaDefinition: conflicting values {'read':
> > ('managers', 'users'), 'add': ('managers', RRQLExpression(Any S,U WHERE
> > S belong_to ST, U can_modify ST, S eid %(s)s, U eid %(u)s)), 'delete':
> > ('managers', RRQLExpression(Any S,U WHERE S belong_to ST, U can_modify
> > ST, S eid %(s)s, U eid %(u)s))}/{'read': ('managers', 'users',
> > 'guests'), 'add': ('managers', 'users'), 'delete': ('managers',
> > RRQLExpression(Any S,U WHERE S owned_by U, S eid %(s)s, U eid %(u)s))}
> > for property __permissions__ of relation 'comments'
> >
> >
> > The "comments" relation have the following definition (in
> > cubicweb-brainomics) :
> >
> > class comments(RelationDefinition):
> >     subject = 'Comment'
> >     object = COMMENTED_ENTITIES
> >
> >
> > I am trying to set the following permissions:
> >
> > RELATION_PERMISSIONS = {
> >   'read':   ( 'managers', 'users' ),
> >   'add':    ( 'managers', RRQLExpression( 'S belong_to ST, U can_modify
> > ST' ) ),
> >   'delete': ( 'managers', RRQLExpression( 'S belong_to ST, U can_modify
> > ST' ) )
> > }
> >
> >
>
> This is because of a "bug" (or at least a controversial feature) where
> defining permissions on a RelationType forbids refining permissions
> on RelationDefinitions.
>
> Unfortunately, the comment cube does the following::
>
>  class comments(RelationType):
>      __permissions__ = {
>          'read':   ('managers', 'users', 'guests'),
>          'add':    ('managers', 'users',),
>          'delete': ('managers', RRQLExpression('S owned_by U'),),
>          }
>
> Hence the yams exception.
>
> I'm all for a definitive fix for this in yams.
>
> Regards,
> Aurélien.
>
> _______________________________________________
> Cubicweb mailing list
> Cubicweb at lists.cubicweb.org
> http://lists.cubicweb.org/mailman/listinfo/cubicweb
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cubicweb.org/pipermail/cubicweb/attachments/20140107/ec43ddc9/attachment-0165.html>


More information about the Cubicweb mailing list