cubicweb #3489895 [security] cannot really use attributes using a more lenient permission [validation pending]

Because the operation does:

entity.cw_check_perm(action)
check_entity_attributes(session, entity, action, edited)

if the etype level permissions are more restrictive that one of the currently edited and more permissive attribute, it still blows.

The proper solution would be to stop having entity's update permission and attribute update permission.

Entity's update permission should simply be a default value for attribute update permissions.

prioritynormal
typebug
done in3.18.6
load0.200
load left0.000
closed by#7099bbd685aa [hooks/security] allow edition of attributes with permissive permissions
patch[hooks/security] allow edition of attributes with permissive permissions [applied]