[security] Fix 'add' permission of Agent and OrganizationUnit
authorSylvain Thénault <sylvain.thenault@logilab.fr>
Thu, 18 May 2017 21:56:45 +0200
changeset 3301 77bc75bd1f2a
parent 3300 a4f22e741d21
child 3302 f565ea19ca39
[security] Fix 'add' permission of Agent and OrganizationUnit We should not depend on entity's authority since it disallow checking permission a priori in the UI to insert add link, since the entity is not created yet. No test added, but agent / organization unit creation is tested by security test which are still green after this change so this should be enough to demonstrate it is fine. Closes extranet #21913461
cubicweb_saem_ref/migration/0.15.4_Any.py
cubicweb_saem_ref/schema.py
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/cubicweb_saem_ref/migration/0.15.4_Any.py	Thu May 18 21:56:45 2017 +0200
@@ -0,0 +1,2 @@
+for etype in ('Agent', 'OrganizationUnit'):
+    sync_schema_props_perms(etype)
--- a/cubicweb_saem_ref/schema.py	Fri May 19 11:14:16 2017 +0200
+++ b/cubicweb_saem_ref/schema.py	Thu May 18 21:56:45 2017 +0200
@@ -52,12 +52,13 @@
 
 def authority_permissions_etype(cls):
     """Set __permissions__ of `cls` entity type class to ensure user can
-    create/update/delete provided its authority is the same as the entity's
-    authority.
+    update/delete provided its authority is the same as the entity's authority.
+
+    Creation permission is ensured by permission of the authority relation.
     """
     cls.__permissions__ = {
         'read': ('managers', 'users', 'guests'),
-        'add': ('managers', ERQLExpression('U authority A, X authority A')),
+        'add': ('managers', 'users'),
         'update': ('managers', ERQLExpression('U authority A, X authority A')),
         'delete': ('managers', ERQLExpression('U authority A, X authority A')),
     }