cubicweb #2930861 [security] update perms fire on attributes at entity creation time [validation pending]

This makes hard to define some otherwise straightforward security rules:

Scenario.__permissions__ = {
    'read': ('managers', 'modellers', 'users', 'agents'),
    'add': ('managers', 'modellers', 'users'),
    'update': ('managers', 'modellers',
               ERQLExpression('V has_scenario X, V is_master False')),
    'delete': ('managers', ERQLExpression('NOT EXISTS(TS has_scenario X)'))
}

The following snippets chokes:

with debugged(DBG_SEC):
    scen = req.execute('INSERT Scenario S: S name "BABAR"')
    cnx.commit()

Security tracing shows this:

check_perm: 'add' 'Scenario': user user matches frozenset(['modellers', 'managers', 'users']) with set([u'users'])
check_perm: 'update' 'Scenario' [(ERQLExpression(Any X WHERE V has_scenario X, V is_master False, X eid %(x)s), {'eid': 5623}, False)]
check_perm: 'update' 'attribute Scenario.name[String]' [(ERQLExpression(Any X WHERE U has_update_permission X, X eid %(x)s, U eid %(u)s), {'eid': 5623}, False)]
check_perm: 'update' 'Scenario' [(ERQLExpression(Any X WHERE V has_scenario X, V is_master False, X eid %(x)s), {'eid': 5623}, False)]

Since I didn't explicitely overrid the attribute permissions settings it should not be checked. There might be a special marker for these situations, that allows to say:

if rdef.permissions is not DEFAULT:
    # do the attribute check
else:
    # do nothing, the etype permissions are all we wanted to check
prioritynormal
typebug
done in3.17.3
load1.000
load left0.000
closed by#6c4ae3a06619 [hooks/security] Streamline attributes default permission check.
patch[hooks/security] Optimize attributes permission check. [applied]