cubicweb #3444095 attribute permission checking changed for internal sessions [validation pending] introduced a shortcut in check_entity_attributes that bypasses check_perm and raises an error. Before that changeset, internal sessions were let through check_perm thanks to the internal manager's matching_groups override.

A few ways to fix this:

  • remove the shortcut
  • make InternalSession explicitly disable security hooks
  • add an explicit session.is_internal_session check to check_entity_attributes
done in3.18.1
load left0.000
closed by#6aec72169ee1 Disable security hooks for internal sessions
patch[security] Add comment to check_entity_attributes shortcut [applied]Disable security hooks for internal sessions [applied]