cubicweb #3489895 [security] cannot really use attributes using a more lenient permission [resolved]
Because the operation does:
entity.cw_check_perm(action) check_entity_attributes(session, entity, action, edited)
if the etype level permissions are more restrictive that one of the currently edited and more permissive attribute, it still blows.
The proper solution would be to stop having entity's update permission and attribute update permission.
Entity's update permission should simply be a default value for attribute update permissions.
|closed by||#7099bbd685aa [hooks/security] allow edition of attributes with permissive permissions|
|patch||[hooks/security] allow edition of attributes with permissive permissions [applied]|