[Cubicweb] How to customize permissions on relations ?

Sylvain Thénault sylvain.thenault at logilab.fr
Tue Jan 7 15:14:12 CET 2014 

On 07 janvier 14:54, Yann Cointepas wrote:
> I am trying to define permissions for all entities and relations used in a
> cube. At the end of schema.py of my cube I import all the
> entities/relations I use and call set_permissions on them. It works for
> entities but on relations, Cubicweb complains :
> 
> yams._exceptions.BadSchemaDefinition: conflicting values {'read':
> ('managers', 'users'), 'add': ('managers', RRQLExpression(Any S,U WHERE S
> belong_to ST, U can_modify ST, S eid %(s)s, U eid %(u)s)), 'delete':
> ('managers', RRQLExpression(Any S,U WHERE S belong_to ST, U can_modify ST,
> S eid %(s)s, U eid %(u)s))}/{'read': ('managers', 'users', 'guests'),
> 'add': ('managers', 'users'), 'delete': ('managers', RRQLExpression(Any S,U
> WHERE S owned_by U, S eid %(s)s, U eid %(u)s))} for property
> __permissions__ of relation 'comments'
> 
> 
> The "comments" relation have the following definition (in
> cubicweb-brainomics) :
> 
> class comments(RelationDefinition):
>     subject = 'Comment'
>     object = COMMENTED_ENTITIES
> 
> 
> I am trying to set the following permissions:
> 
> RELATION_PERMISSIONS = {
>   'read':   ( 'managers', 'users' ),
>   'add':    ( 'managers', RRQLExpression( 'S belong_to ST, U can_modify ST'
> ) ),
>   'delete': ( 'managers', RRQLExpression( 'S belong_to ST, U can_modify ST'
> ) )
> }
> 
> Any help is welcome,

This is because the comment cube is defining permissions of the 'comments'
relation on the relation **type** (notably because relation *definitions* are
not known at this point).

To sum up:

* a relation definition, or qualified relation, is a 3-uple 
    (subject, relation type object)

* properties that are holded by the relation type: symmetric, inlined,
  fulltext_container (, final)

* others are holded by relation definition (cardinality, composite, permissions,
  etc.), even if things are a little bit fuzzy in case of e.g. cardinality.

* when you define your schema, you've got two base classes, RelationType and
  RelationDefinition ; every relation definition properties defined on the
  RelationType means "every relation definition of this type will have this
  value for this property"

hence your crash. CQFD :/

Now, there has been discussion recently on changing this enforcing behaviour to
something more like a default value. Maybe it's time to take a decision on this.

-- 
Sylvain Thénault, LOGILAB, Paris (01.45.32.03.12) - Toulouse (05.62.17.16.42)
Formations Python, Debian, Méth. Agiles: http://www.logilab.fr/formations
Développement logiciel sur mesure:       http://www.logilab.fr/services
CubicWeb, the semantic web framework:    http://www.cubicweb.org

More information about the Cubicweb mailing list