class travaille(RelationDefinition):
__permissions__ = {
'read': ('managers', 'users', 'guests'),
'add': ('managers', RRQLExpression('U has_update_permission S')),
'delete': ('managers', RRQLExpression('O owned_by U')),
}
subject = 'Personne'
object = 'Societe'
constraints = [RQLVocabularyConstraint('S owned_by U'),
RQLVocabularyConstraint('S created_by U')]
def inner_rdefs_perms(role_to_container):
# role_to_container is either 'S' or 'O'
return {
'read': ('managers', 'users', 'guests'),
'add':
('managers',
RRQLExpression('%s project P, U canwrite P' % role_to_container)),
'delete':
('managers',
RRQLExpression('%s project P, U canwrite P' % role_to_container)),
}
class bookmarked_by(RelationType):
__permissions__ = {
'read': (
'managers',
'users',
'guests',
),
# test user in users group to avoid granting permission to anonymous user
'add': ('managers',
RRQLExpression('O identity U, U in_group G, G name "users"')),
'delete':
('managers',
RRQLExpression('O identity U, U in_group G, G name "users"')),
}
def test_check_inlined_rdef_permissions(self):
# try to check permissions when creating an entity ('user' below is a
# fresh entity without an eid)
with self.admin_access.web_request() as req:
ttype = 'EmailAddress'
rschema = self.schema['use_email']
rdef = rschema.rdefs[('CWUser', ttype)]
tschema = self.schema[ttype]
role = 'subject'
with self.temporary_permissions((rdef, {'add': ()})):
user = self.vreg['etypes'].etype_class('CWUser')(req)
autoform = self.vreg['forms'].select('edition',
req,
entity=user)
self.assertFalse(
autoform.check_inlined_rdef_permissions(
rschema, role, tschema, ttype))
# we actually don't care about the actual expression,
# may_have_permission only checks the presence of such expressions
expr = RRQLExpression('S use_email O')
with self.temporary_permissions((rdef, {'add': (expr, )})):
user = self.vreg['etypes'].etype_class('CWUser')(req)
autoform = self.vreg['forms'].select('edition',
req,
entity=user)
self.assertTrue(
autoform.check_inlined_rdef_permissions(
rschema, role, tschema, ttype))
def test_rrqlexpression(self):
self.assertRaises(Exception, RRQLExpression, '1')
self.assertRaises(RQLSyntaxError, RRQLExpression, 'O X Y')
expr = RRQLExpression('U has_update_permission O')
self.assertEqual(
str(expr),
'Any O,U WHERE U has_update_permission O, O eid %(o)s, U eid %(u)s'
)
class ecrit_par(RelationType):
__permissions__ = {'read': ('managers', 'users', 'guests',),
'delete': ('managers', ),
'add': ('managers',
RRQLExpression('O require_permission P, P name "add_note", '
'U in_group G, P require_group G'),)
}
inlined = True
cardinality = '?*'
class toto(RelationType):
__permissions__ = {
'read': (
'managers',
RRQLExpression('S bla Y'),
),
'add': ('managers', ),
'delete': ('managers', ),
}
class see_also(RelationType):
"""generic relation to link one entity to another"""
symmetric = True
__permissions__ = {
'read': (
'managers',
'users',
'guests',
),
'add': (
'managers',
RRQLExpression('U has_update_permission S'),
),
'delete': (
'managers',
RRQLExpression('U has_update_permission S'),
),
}
class ToTo(EntityType):
__permissions__ = {
'read': (
'managers',
RRQLExpression('S bla Y'),
),
'add': ('managers', ),
'update': ('managers', ),
'delete': ('managers', ),
}
attr = String()
class owned_by(RelationType):
"""core relation indicating owners of an entity. This relation
implicitly put the owner into the owners group for the entity
"""
__permissions__ = {
'read': ('managers', 'users', 'guests'),
'add': (
'managers',
RRQLExpression('S owned_by U'),
),
'delete': (
'managers',
RRQLExpression('S owned_by U'),
),
}
# 0..n cardinality for entities created by internal session (no attached user)
# and to support later deletion of a user which has created some entities
cardinality = '**'
subject = '*'
object = 'CWUser'
class primary_email(RelationDefinition):
"""the prefered email"""
__permissions__ = {
'read': (
'managers',
'users',
'guests',
),
'add': (
'managers',
RRQLExpression('U has_update_permission S'),
),
'delete': (
'managers',
RRQLExpression('U has_update_permission S'),
),
}
subject = "CWUser"
object = "EmailAddress"
cardinality = '??'
constraints = [RQLConstraint('S use_email O')]
class prefered_form(RelationType):
__permissions__ = {
'read': (
'managers',
'users',
'guests',
),
# XXX should have update __permissions__ on both subject and object,
# though by doing this we will probably have no way to add
# this relation in the web ui. The easiest way to acheive this
# is probably to be able to have "U has_update_permission O" as
# RQLConstraint of the relation definition, though this is not yet
# possible
'add': (
'managers',
RRQLExpression('U has_update_permission S'),
),
'delete': (
'managers',
RRQLExpression('U has_update_permission S'),
),
}
class use_email_relation(RelationDefinition):
"""user's email account"""
name = "use_email"
__permissions__ = {
'read': (
'managers',
'users',
'guests',
),
'add': (
'managers',
RRQLExpression('U has_update_permission S'),
),
'delete': (
'managers',
RRQLExpression('U has_update_permission S'),
),
}
subject = "CWUser"
object = "EmailAddress"
cardinality = '*?'
composite = 'subject'
class comments(RelationType):
__permissions__ = {
'read': ('managers', 'users', 'guests'),
'add': (
'managers',
'users',
),
'delete': (
'managers',
RRQLExpression('S owned_by U'),
),
}
inlined = True
composite = 'object'
cardinality = '1*'
class concerne(RelationType):
__permissions__ = {
'read': ('managers', 'users', 'guests'),
'add': ('managers', RRQLExpression('U has_update_permission S')),
'delete': ('managers', RRQLExpression('O owned_by U')),
}
Do not deal with composition relation properties since the generated databases
are not expected to be dynamics.
"""
# Cubicweb import
from yams.buildobjs import RelationDefinition
from yams.buildobjs import SubjectRelation
from cubicweb.schema import RRQLExpression
# Local import
from cubes.brainomics2.schema.neuroimaging import SCAN_DATA
RELATION_PERMISSIONS = {
"read": ("managers", "users"),
"add": ("managers",
RRQLExpression("S in_assessment A, U in_group G, G can_update A")),
"delete":
("managers",
RRQLExpression("S in_assessment A, U in_group G, G can_update A"))
}
class questionnaire_runs(RelationDefinition):
__permissions__ = RELATION_PERMISSIONS
inlined = False
subject = "Assessment"
object = "QuestionnaireRun"
cardinality = "*1"
class questionnaire_questionnaire_runs(RelationDefinition):
class attr(RelationType):
__permissions__ = {
'read': ('managers', ),
'update': ('managers', RRQLExpression('S bla Y'),),
'add': ('managers', RRQLExpression('S bla Y'),),
}
# build a dummy schema ########################################################
PERSONNE_PERMISSIONS = {
'read': ('managers', 'users', 'guests'),
'update': ('managers', 'owners'),
'add': ('managers', ERQLExpression('X travaille S, S owned_by U')),
'delete': (
'managers',
'owners',
),
}
CONCERNE_PERMISSIONS = {
'read': ('managers', 'users', 'guests'),
'add': ('managers', RRQLExpression('U has_update_permission S')),
'delete': ('managers', RRQLExpression('O owned_by U')),
}
schema = CubicWebSchema('Test Schema')
enote = schema.add_entity_type(EntityType('Note'))
eaffaire = schema.add_entity_type(EntityType('Affaire'))
eperson = schema.add_entity_type(
EntityType('Personne', __permissions__=PERSONNE_PERMISSIONS))
esociete = schema.add_entity_type(EntityType('Societe'))
RELS = (
# attribute relations
('Note date String'),
('Note type String'),
('Affaire sujet String'),
__permissions__ = {
'read': ('managers', ERQLExpression('X owned_by U'),
ERQLExpression('U canread X')),
'add': ('managers', 'users'),
'update': ('managers', ERQLExpression('U canwrite X')),
'delete': ('managers', ERQLExpression('U canwrite X'))
}
subproject_of = SubjectRelation('Project',
composite='object',
inlined=True,
cardinality='?*')
PERMS['project-meta-perms'] = {
'read': ('managers', 'users', 'guests'),
'add': ('managers', RRQLExpression('O owned_by S')),
'delete': ('managers', RRQLExpression('O owned_by S'))
}
# a standard read-write permission scheme
class canread(RelationDefinition):
__permissions__ = PERM('project-meta-perms')
subject = 'CWUser'
object = 'Project'
class canwrite(RelationDefinition):
__permissions__ = PERM('project-meta-perms')
subject = 'CWUser'
object = 'Project'
class computed(ComputedRelation):
rule = 'S relation O'
__permissions__ = {'read': (RRQLExpression('S is ET'), )}
def _rqlexpr(self):
if self.exprtype == 'ERQLExpression':
return ERQLExpression(self.expression, self.mainvars, self.eid)
#if self.exprtype == 'RRQLExpression':
return RRQLExpression(self.expression, self.mainvars, self.eid)
