[Cubicweb] Delicate permissions

St├ęphane Bugat stephane.bugat at free.fr
Wed Sep 19 12:32:08 CEST 2012


> I would try to run the ERQLExpression query on a cw shell to make
> sure
> it returns something :
> 
>  >>> rql('Any X WHERE X eid %(email_eid)s, X visibility TRUE, P
>  >>> is_user
> U, U eid %(the_user)s, P in_contact_with S, S use_email X')

Already tried as RQL request in the searchbox of the site: returns an empty rset. Just tried in a cw shell: also returns an empty rset. You were right!

> > Is there any specific permission either on in_contact_with or
> > use_email ?
> 
> that's a good point: you should  check all permissions in the chain
> (eg relations
> above and Person)

Hum. 'is_user' has the default relation permissions. However, 'in_contact_with' has some specific permissions::

    __permissions__ = {
            'read': ('managers', 'users'),
            'add': ('managers',),
            'delete': ('managers', RRQLExpression('S is_user U OR O is_user U')),

The 'add' restriction to 'managers' comes from the fact that I wanted a user not to be able to directly set a relation with a given person. He can only send a demand workflow to the recipient person, and there is a hook that creates the relation once the demand is accepted by the recipient...
However this is about 'add' operation, not 'read' operation which is not limited until now...




More information about the Cubicweb mailing list