cubicweb #2965518 attribute permissions: have an 'add' permission distinct from 'update' [resolved]
As of today, attribute 'update' permissions are checked at entity creation time.
In the past, we have gone from 'add'/'delete' permissions in the manner of relations to 'update' perms, like for entities, but while simplifying it to 'update', we lost something.
There are definitely cases when a specific attribute 'update' permission forbids entity _creation_. The most common case (no permission at all) is actually hard-coded in check_entity_attributes, but there's no deep reason more cases cannot be handled.
|closed by||#96dba2efd16d [hooks/security] provide attribute "add" permission|
|patch||[hooks/security] provide attribute "add" permission [applied][hooks/security] silence yams warning (Related to #2965518) [rejected]|
- cubicweb #1698245 Convert __message to _cwmsgid to increase security
- cubicweb #2103684 use passlib (?)
- cubicweb #511718 explain why rql expr insertion doesn't work to ease security debugging
- cubicweb #2969377 [security] all add security checks must happen at commit time
- cubicweb #1381390 Implement HTTP Strict Transport Security for https