cubicweb #2965518 attribute permissions: have an 'add' permission distinct from 'update' [resolved]

As of today, attribute 'update' permissions are checked at entity creation time.

In the past, we have gone from 'add'/'delete' permissions in the manner of relations to 'update' perms, like for entities, but while simplifying it to 'update', we lost something.

There are definitely cases when a specific attribute 'update' permission forbids entity _creation_. The most common case (no permission at all) is actually hard-coded in check_entity_attributes, but there's no deep reason more cases cannot be handled.


  • stop checking attributes update perms at entity creation time
  • introduce attribute 'add' perms and check them at entity creation time
  • make the default attribute 'add' perms the _same_ as the current default 'update' perm, for backward compatibility.
done in3.18.0
load left0.000
closed by#96dba2efd16d [hooks/security] provide attribute "add" permission
patch[hooks/security] provide attribute "add" permission [applied][hooks/security] silence yams warning (Related to #2965518) [rejected]