[PATCH 2 of 2 saem] [security] Update security of the authority record kind relation

Denis Laxalde denis.laxalde at logilab.fr
Fri Apr 14 11:17:10 CEST 2017


Sylvain Thenault a écrit :
> # HG changeset patch
> # User Sylvain Thénault <sylvain.thenault at logilab.fr>
> # Date 1492070281 -7200
> #      Thu Apr 13 09:58:01 2017 +0200
> # Node ID b2dd58f79d6e9b64d0c3a32dfc781bf39de24bef
> # Parent  85e085e85f4a703e597863dbf45a042970050c37
> # Available At http://hg.logilab.org/review/cubes/saem_ref
> #              hg pull http://hg.logilab.org/review/cubes/saem_ref -r b2dd58f79d6e
> [security] Update security of the authority record kind relation
>
> (still named agent_kind for historical reason).
>
> In the eac cube, this relation can't be modified unless its value is 'unknown'.
> Here we want to allow modification provided that the record isn't referenced by
> authority_record relation which add constraint on the kind's value.
>
> To achieve this, update the relation's permission to depends on its subject
> entity's permission, then add a constraint to ensure consistency of
> authority_record wrt kind's value.
>
> Related to #16385734
>
> diff --git a/cubicweb_saem_ref/migration/0.15.1_Any.py b/cubicweb_saem_ref/migration/0.15.1_Any.py
> --- a/cubicweb_saem_ref/migration/0.15.1_Any.py
> +++ b/cubicweb_saem_ref/migration/0.15.1_Any.py
> @@ -1,7 +1,7 @@
>  for ertype in ('generated', 'used', 'associated_with', 'place_address', 'new_version_of',
> -               'authority_record',
> +               'agent_kind', 'authority_record',
>                 'OrganizationUnit', 'Agent', 'ArkNameAssigningAuthority'):
>      sync_schema_props_perms(ertype)
>
>
>  sql("DELETE FROM container_relation WHERE EXISTS("
> diff --git a/cubicweb_saem_ref/schema.py b/cubicweb_saem_ref/schema.py
> --- a/cubicweb_saem_ref/schema.py
> +++ b/cubicweb_saem_ref/schema.py
> @@ -86,10 +86,26 @@ EmailAddress.remove_relation('alias')
>
>  # Customization of eac schema.
>  make_workflowable(eac.AuthorityRecord)
>  groups_permissions(eac.AuthorityRecord)
>
> +eac.agent_kind.__permissions__ = {
> +    'read': ('managers', 'users', 'guests'),
> +    'add': ('managers', RRQLExpression('U has_update_permission S')),
> +    'delete': ('managers', RRQLExpression('U has_update_permission S')),
> +}
> +eac.agent_kind.constraints = [
> +    RQLConstraint('NOT EXISTS(Z authority_record S)'
> +                  ' OR '
> +                  'EXISTS(A authority_record S, A is Agent, '
> +                  '       O name "person")'
> +                  ' OR '
> +                  'EXISTS(OU authority_record S, OU is IN (Organization, OrganizationUnit), '
> +                  '       O name "authority")',
> +                  msg=_('This record is used by a relation forbidding to change its type')),
> +]
> +

New message -> i18ncube

>
>  # Customization of skos schema.
>  make_workflowable(ConceptScheme)
>  publication_permissions(ConceptScheme)
>



More information about the saem-devel mailing list