Commits

Anonymous committed 9715c64

[schema] fix key permissions

* only managers and owners may read and delete
* no one may add/update (handled internally)

Comments (0)

Files changed (2)

 # with this program. If not, see <http://www.gnu.org/licenses/>.
 """cubicweb-shareurl schema"""
 
-from yams.buildobjs import EntityType, RelationType, RelationDefinition, Boolean, String
+from yams.buildobjs import (EntityType, RelationType, RelationDefinition,
+                            Boolean, String)
+from cubicweb.schema import ERQLExpression
 
 class ShareKey(EntityType):
+    __permissions__ = {
+    'read':   ('managers', ERQLExpression('X owned_by U')),
+    'add':    (),
+    'delete': ('managers', ERQLExpression('X owned_by U'),),
+    'update': (),
+    }
     _share_key = String(required=True, unique=True)
 
 
         return list(self._cw.execute('Any X WHERE X is CWGroup, X name "users"').entities())
 
     def share(self):
-        key = unicode(uuid4().hex)
-        keyent = self._cw.create_entity('ShareKey', _share_key=key,
-                                        share_key_of=self.entity)
-        self._cw.create_entity('CWUser', login=key, upassword=str(key),
-                               shared_user=True,
-                               in_group=self.user_groups())
-        return key
+        vreg = self._cw.vreg
+        with vreg.config.repository(vreg).internal_cnx() as cnx:
+            key = unicode(uuid4().hex)
+            keyent = cnx.create_entity('ShareKey', _share_key=key,
+                                       share_key_of=self.entity)
+            cnx.create_entity('CWUser', login=key, upassword=str(key),
+                              shared_user=True,
+                              in_group=self.user_groups())
+            cnx.commit()
+            return key
 
 
 class SharedURLPathEvaluator(urlpublishing.URLPathEvaluator):