cubicweb #2965518 attribute permissions: have an 'add' permission distinct from 'update' [validation pending]

As of today, attribute 'update' permissions are checked at entity creation time.

In the past, we have gone from 'add'/'delete' permissions in the manner of relations to 'update' perms, like for entities, but while simplifying it to 'update', we lost something.

There are definitely cases when a specific attribute 'update' permission forbids entity _creation_. The most common case (no permission at all) is actually hard-coded in check_entity_attributes, but there's no deep reason more cases cannot be handled.

Proposal:

  • stop checking attributes update perms at entity creation time
  • introduce attribute 'add' perms and check them at entity creation time
  • make the default attribute 'add' perms the _same_ as the current default 'update' perm, for backward compatibility.
prioritynormal
typeenhancement
appeared in<not specified>
done in3.18.0
load1.000
load left0.000
closed by#10906:96dba2efd16d
patch