[PATCH saem] [security] Fix permissions for EAC relation entity types

Denis Laxalde denis.laxalde at logilab.fr
Fri Apr 21 18:07:10 CEST 2017


Sylvain Thenault a écrit :
> # HG changeset patch
> # User Sylvain Thénault <sylvain.thenault at logilab.fr>
> # Date 1492766455 -7200
> #      Fri Apr 21 11:20:55 2017 +0200
> # Node ID 36fac1f477381b6cebc2199b905b3a0c48caeb6e
> # Parent  390a4f075ad402d3fc81dbb7e45f1634efa58e30
> # Available At http://hg.logilab.org/review/cubes/saem_ref
> #              hg pull http://hg.logilab.org/review/cubes/saem_ref -r 36fac1f47738
> [security] Fix permissions for EAC relation entity types
>
> They are not part of the compound graph, hence have default permission where
> only owner can update, which is not what we expect.
>
> Add more testing about this.
>
> Closes extranet #18336405
>
> diff --git a/cubicweb_saem_ref/migration/0.15.2_Any.py b/cubicweb_saem_ref/migration/0.15.2_Any.py
> new file mode 100644
> --- /dev/null
> +++ b/cubicweb_saem_ref/migration/0.15.2_Any.py
> @@ -0,0 +1,2 @@
> +for etype in ('ChronologicalRelation', 'HierarchicalRelation', 'AssociationRelation'):
> +    sync_schema_props_perms(etype)
> diff --git a/cubicweb_saem_ref/schema.py b/cubicweb_saem_ref/schema.py
> --- a/cubicweb_saem_ref/schema.py
> +++ b/cubicweb_saem_ref/schema.py
> @@ -102,10 +102,21 @@ eac.agent_kind.constraints = [
>                    'EXISTS(OU authority_record S, OU is IN (Organization, OrganizationUnit), '
>                    '       O name "authority")',
>                    msg=_('This record is used by a relation forbidding to change its type')),
>  ]
>
> +for etype_def, from_rdef, to_rdef in [
> +        (eac.ChronologicalRelation, eac.chronological_predecessor, eac.chronological_successor),
> +        (eac.HierarchicalRelation, eac.hierarchical_parent, eac.hierarchical_child),
> +        (eac.AssociationRelation, eac.association_from, eac.association_to)]:
> +    etype_def.__permissions__ = {
> +        'read': ('managers', 'users', 'guests'),
> +        'add': ('managers', 'users'),
> +        'update': ('managers', 'users'),
> +        'delete': ('managers', 'users'),
> +    }
> +

AFAICT from_rdef and to_rdef variables are not used.

>
>  # Customization of skos schema.
>  make_workflowable(ConceptScheme)
>  publication_permissions(ConceptScheme)
>



More information about the saem-devel mailing list