cubicweb #2930861 [security] update perms fire on attributes at entity creation time [resolved]
This makes hard to define some otherwise straightforward security rules: Scenario.__permissions__ = { 'read': ('managers', 'modellers', 'users', 'agents'), 'add': ('managers', 'modellers', 'users'), 'update': ('managers', 'modellers', ERQLExpression('V has_scenario X, V is_master False')), 'delete': ('managers', ERQLExpression('NOT EXISTS(TS has_scenario X)')) } The following snippets chokes: with debugged(DBG_SEC): scen = req.execute('INSERT Scenario S: S name "BABAR"') cnx.commit() Security tracing shows this: check_perm: 'add' 'Scenario': user user matches frozenset(['modellers', 'managers', 'users']) with set([u'users']) check_perm: 'update' 'Scenario' [(ERQLExpression(Any X WHERE V has_scenario X, V is_master False, X eid %(x)s), {'eid': 5623}, False)] check_perm: 'update' 'attribute Scenario.name[String]' [(ERQLExpression(Any X WHERE U has_update_permission X, X eid %(x)s, U eid %(u)s), {'eid': 5623}, False)] check_perm: 'update' 'Scenario' [(ERQLExpression(Any X WHERE V has_scenario X, V is_master False, X eid %(x)s), {'eid': 5623}, False)] Since I didn't explicitely overrid the attribute permissions settings it should not be checked. There might be a special marker for these situations, that allows to say: if rdef.permissions is not DEFAULT: # do the attribute check else: # do nothing, the etype permissions are all we wanted to check | |
priority | normal |
---|---|
type | bug |
done in | 3.17.3 |
load | 1.000 |
load left | 0.000 |
closed by | #6c4ae3a06619 [hooks/security] Streamline attributes default permission check. |
patch | [hooks/security] Optimize attributes permission check. [applied] |
similar entities
- cubicweb #1698245 Convert __message to _cwmsgid to increase security
- cubicweb #511718 explain why rql expr insertion doesn't work to ease security debugging
- TheCubicWebBook #656194 CW Administration: how to give dynamic permissions
- cubicweb #1346310 Add `Secure` attribute to cookie when navigating on https
- cubicweb #1381390 Implement HTTP Strict Transport Security for https
[see all]
Comments
-
2013/06/10 19:52, written by sthenault
-
2013/06/10 19:57, written by acampeas
-
2013/06/11 08:39, written by sthenault
-
2013/06/11 09:59, written by acampeas
-
2013/06/11 09:57, written by acampeas
-
2013/06/11 10:20, written by acampeas
-
2013/06/11 10:43, written by acampeas
-
2013/06/25 11:16, written by sthenault
-
2013/06/25 11:20, written by acampeas
-
2013/06/25 13:14, written by acampeas
add commentI don't get your later remark. if you associate an empty tuple to the 'update' key in the permissions dictionary, you don't get "the default security", you get an empty tuple. And iirc that's the target.
I didn't associate anything to the Scenario.name per se and I have seen rdef.permissions.get('update') yield the default cw permission.
not specifying anything and explicitly specifying an empty tuple are two differents things. In the first case you implicitly ask for the default values.
Ticket description updated after reflections on this.
The two "check_perm: 'update' 'Scenario'" are quite disturbing also.
I understand the second comes as a followup on the "U has_update_permission X" of the Scenario.name check.
an hypothetical first step:
This probably won't work because of the presence of an ERQLExpression in the DEFAULT_ATTRPERMS. Also order may matters.
While I would prefer a proper solution, I would be fine with such patch in the mean time, provided an XXX line before the attribute update perms comparison.
This snippet si obsolete, sorry. The patch says it all.
example workaround:
As you can see it is not too nice. The UI is uninformed of the hook rule. (Also while doing this I introduced a bug wrt the spec; can you spot it ?)