[PATCH saem] [security] Fix 'add' permission of Agent and OrganizationUnit

Sylvain Thenault sylvain.thenault at logilab.fr
Fri May 19 10:54:25 CEST 2017


# HG changeset patch
# User Sylvain Thénault <sylvain.thenault at logilab.fr>
# Date 1495137405 -7200
#      Thu May 18 21:56:45 2017 +0200
# Node ID 0674ed9b8f37f4a26cef26d81ff61d56f61edf50
# Parent  7aca90bfbdf3aae98f434400e1368428443441bf
# Available At http://hg.logilab.org/review/cubes/saem_ref
#              hg pull http://hg.logilab.org/review/cubes/saem_ref -r 0674ed9b8f37
[security] Fix 'add' permission of Agent and OrganizationUnit

We should not depend on entity's authority since it disallow checking
permission a priori in the UI to insert add link, since the entity is not
created yet.

No test added, but agent / organization unit creation is tested by security test
which are still green after this change so this should be enough to demonstrate
it is fine.

Closes extranet #21913461

diff --git a/cubicweb_saem_ref/migration/0.15.4_Any.py b/cubicweb_saem_ref/migration/0.15.4_Any.py
new file mode 100644
--- /dev/null
+++ b/cubicweb_saem_ref/migration/0.15.4_Any.py
@@ -0,0 +1,2 @@
+for etype in ('Agent', 'OrganizationUnit'):
+    sync_schema_props_perms(etype)
diff --git a/cubicweb_saem_ref/schema.py b/cubicweb_saem_ref/schema.py
--- a/cubicweb_saem_ref/schema.py
+++ b/cubicweb_saem_ref/schema.py
@@ -50,16 +50,17 @@ def publication_permissions(cls, groups=
     return cls
 
 
 def authority_permissions_etype(cls):
     """Set __permissions__ of `cls` entity type class to ensure user can
-    create/update/delete provided its authority is the same as the entity's
-    authority.
+    update/delete provided its authority is the same as the entity's authority.
+
+    Creation permission is ensured by permission of the authority relation.
     """
     cls.__permissions__ = {
         'read': ('managers', 'users', 'guests'),
-        'add': ('managers', ERQLExpression('U authority A, X authority A')),
+        'add': ('managers', 'users'),
         'update': ('managers', ERQLExpression('U authority A, X authority A')),
         'delete': ('managers', ERQLExpression('U authority A, X authority A')),
     }
     return cls
 


More information about the saem-devel mailing list