cubicweb #3444095 attribute permission checking changed for internal sessions [validation pending]

http://hg.logilab.org/master/cubicweb/rev/96dba2efd16d introduced a shortcut in check_entity_attributes that bypasses check_perm and raises an error. Before that changeset, internal sessions were let through check_perm thanks to the internal manager's matching_groups override.

A few ways to fix this:

  • remove the shortcut
  • make InternalSession explicitly disable security hooks
  • add an explicit session.is_internal_session check to check_entity_attributes
priorityimportant
typebug
done in3.18.1
load0.500
load left0.000
closed by#6aec72169ee1 Disable security hooks for internal sessions
patch[security] Add comment to check_entity_attributes shortcut [applied]Disable security hooks for internal sessions [applied]