cubicweb #3154558 [security] rdefs using default read permissions: just do nothing [open]

Because: the default rule is (u'managers', u'users', u'guests'), which actually means 'everyone' semantically it parallels what is now done with the entity update rule (https://www.cubicweb.org/patch/2932064)
priority	normal
type	enhancement
done in	<not specified>
load	1.000
load left	1.000
closed by	<not specified>
patch	[security] when checking an rdef `read security groups`, do nothing if they are the default [rejected]

Workflow history

from state (2)	to state	comment	date	User
in-progress	open	mass operation on Oct 15 2019	2019/10/15 15:01 UTC	admin
open	in-progress		2013/09/19 09:14 UTC

Comments

2013/09/19 08:23, written by acampeas
First problem seen while implementing this: the test unittest_security.test_update_rql_permission breaks.

It works on the following (reduced) schema, with read perms shown:
```
class Affaire:
    __permissions__ = ('managers', 'X owned_by U', 'X concerne S?, S owned_by U')
    sujet = String()
    concerne = Relation(Societe)

class Societe:
    __permissions__ = ('managers', 'users', 'guests')
```
We have a scenario where a "user" (belonging only to the users group):
1. creates an Affaire
2. creates a Societe and links to the Affaire through "concerne"
3. wants to set the "sujet" attribute of the Societe
As of today it all works. Let's detail point 3 security check:
- the querier performs a read group check on the "sujet" attribute * since the default sec on attributes is ('managers', 'users', 'guests') it passes (!) * later, the rqlrewriter interpolates the rql expressions, hence since the user owns both ends of the "concerne" relation it works ok
It think this way of life is a pb., because:
- when writing a schema like this, the typical end user NEVER thinks she just gave ('managers', 'users', 'guests') group permissions to the Societe attributes,
- instead she believes the permission rule at entity level controls the whole entity (that is, attributes-security), unless a specific attribute permission rule is written
I have the following scenario to implement: a "readonly" profile. Unfortunately, it cannot be made to work (with a "readonly" group at least) unless every attribute of every entity type is explicitly given a non-default, e.g. ('managers', 'users', 'guests', 'readonly') rule. Which is a bit unfriendly...

Opinions ?
- 2013/09/19 09:48, written by acampeas
  
  Well, doing nothind wrt rdefs read permissions == default read permissions "just works".
2013/09/28 10:24, written by acampeas

this actually must be extended to write security checks
2014/08/01 13:23, written by acampeas

As of 01-08-2014, the need rises again. Let's do it !

add comment

tagged by

security

similar entities

[see all]

Ticket #3154558 - latest update on 2019/10/15, created on 2013/09/18 by Aurelien Campeas