cubicweb #4919855 Implement security context [open]

The idea is to be able to write security rql expressions that refer to
arbitrary values/entities, and not only 'U' for the current user.

This security context would be a dictionary in which keys could be used in permissions rql expressions.

Such a context would be very useful to check permissions against arbitrary informations orthogonal to the current user. For example, a token that gives access to a specific resource could be used to share a private resource via a simple url including this token.

Once such a system works, the current user (_cw.user) and its security related attributes (groups) could be transfered to this context, making cnx.user useless and less a problem than it is today [1].

Another big advantage would be that it would be easier to have an external system providing security informations without hacking around the user, connection and session [2]. One could even have permissions checking without a single CWUser in the database.

prioritynormal
typeenhancement
done in<not specified>
closed by<not specified>
patch[wip] Implements security_ctx as permanent rql args [rejected][wip] Inject security context in RQLExpression._check [rejected][wip] Add access to the security_context from subsitute variables [rejected][wip] Introduce a security_ctx in rqlrewrite [rejected]

Workflow history

from state (2)to statecommentdateUser
in-progressopen

mass operation on Oct 15 2019

2019/10/15 15:01 UTCadmin
openin-progress2015/02/05 22:11 UTC 
attachment

4919855.patch

Ticket #4919855 - latest update on 2019/10/15, created on 2015/02/05 by Christophe de Vienne