cubicweb #2932033 [security] consider operation checking only in securityafterupdateentity hook [resolved]
As of today, the entity is checked in the hook, and if Unauthorized the check is deferred to an Operation (hoping that things will work better at this time).
I contend that this strategy is too costly for the case when only an operation will yield a successful permission check, and that this case is quite common.
I propose we drop the immediate permission check and only defer to the operation.
|closed by||#e1369f2dba79 [hooks/security] Defer entity permission checks to an Operation.|
|patch||[doc/book/security] update description of entity update (Related to #2932033) [applied][hooks/security] Defer entity permission checks [applied]|
- cubicweb #1698245 Convert __message to _cwmsgid to increase security
- TheCubicWebBook #569106 hooks section
- cubicweb #511718 explain why rql expr insertion doesn't work to ease security debugging
- TheCubicWebBook #656194 CW Administration: how to give dynamic permissions
- cubicweb #1381390 Implement HTTP Strict Transport Security for https