[Cubicweb] RRQLExpression and ERQLExpression

Jinpeng Li mr.li.jinpeng at gmail.com
Tue Apr 15 17:44:35 CEST 2014


On Tue, Apr 15, 2014 at 4:35 PM, Sylvain Thénault <
sylvain.thenault at logilab.fr> wrote:

> On 15 avril 16:02, mr.li.jinpeng at gmail.com wrote:
> > On 04/15/2014 03:23 PM, Sylvain Thénault wrote:
> > >On 15 avril 14:26, Jinpeng Li wrote:
> > >your case #1 should be the right way to do this.
> > >
> > >>1: Study.name doesn't inherit permissions from Study
> > >there is the problem. Which cubicweb/yams version are you using?
> > >What's the result of `schema['Study'].rdef('name').permissions`?
> > This is from case #1:
> >
> > # cubicweb-ctl shell test_permission
> >
> > >>> import cubicweb
> > >>> print cubicweb.__version__
> > 3.18.4
> > >>> import yams
> > >>> print(yams.__version__)
> > 0.39.1
> > >>> print(schema['Study'].rdef('name').permissions)
> > {'read': (u'managers', u'users', u'guests'), 'add': (u'managers',
> > ERQLExpression(Any X WHERE U has_add_permission X, X eid %(x)s, U
> > eid %(u)s)), 'update': (u'managers', ERQLExpression(Any X WHERE U
> > has_update_permission X, X eid %(x)s, U eid %(u)s))}
>
> I get it: the problem is that all users should be in the 'users' group
> else you
> go into such weirdness. There are currently some thinking about that, but
> until
> a better day you'll need this. Take a look at the above (default) attribute
> permissions, this is quite instructive.
>

Good, it works well for the user "m_user" with  when I added "m_user" into
the "users" group. I can read Study.name now.

However, it leads to another issue by default. I can sniff other
information, for example all the logins, and emails:

>>> rql = "Any LG where X is CWUser, X login LG"
>>> cursor.execute(rql)
<resultset 'Any LG where X is CWUser, X login LG' (3 rows):
[u'admin'] (('String',))
[u'm_user'] (('String',))
[u'm_user2'] (('String',))>
>>> rql = "Any LG, E where X is CWUser, X login LG, X use_email E"
>>> cursor.execute(rql)
<resultset 'Any LG, E where X is CWUser, X login LG, X use_email E' (1
rows): [u'm_user', 771] (('String', 'EmailAddress'))>

I can read a lot of other information from the system. From this point, I
don't know if it is a good idea that "all users should be in the 'users'
group".


> > >>2: Study.get_relation("name").__permissions__ cannot use neither
> > >>RRQLExpression nor ERQLExpression.
> > >to precise things a bit:
> > >
> > >* attribute permissions should use ERQLExpression, RRQLExpression is
> for (non
> > >   final) relations only
> > >
> > >* you can't use rql expression in 'read' permissions for both
> attributes and
> > >   relations
> > Therefore how could I visit these attributes under those permission
> > control? I think that it is linked to the first question.
>
> the idea wrt attribute read permissions is to grant them to anybody (eg
> 'managers', 'users' and 'guests' groups), so it will rely on their
> entity's read
> permissions. For 'update'/'add' permissions, similar achievments is done
> use
> special 'has_update_permission' and 'has_add_permission' relations.
>

OK.


>
> --
> Sylvain Thénault, LOGILAB, Paris (01.45.32.03.12) - Toulouse
> (05.62.17.16.42)
> Formations Python, Debian, Méth. Agiles: http://www.logilab.fr/formations
> Développement logiciel sur mesure:       http://www.logilab.fr/services
> CubicWeb, the semantic web framework:    http://www.cubicweb.org
>


Jinpeng
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cubicweb.org/pipermail/cubicweb/attachments/20140415/74e36754/attachment-0186.html>


More information about the Cubicweb mailing list