[entity] fix unrelated_rql for creation form vocabulary for relation with...

[entity] fix unrelated_rql for creation form vocabulary for relation with specific permissions (closes #2423854) --HG-- branch : stable

[entity] fix unrelated_rql for creation form vocabulary for relation with...
[entity] fix unrelated_rql for creation form vocabulary for relation with specific permissions (closes #2423854) --HG-- branch : stable
3641ace0 · Florent Cayré · 05992aa3fc0d · 444a8e25 · 444a8e25
Commit 3641ace0 authored Jul 18, 2012 by Florent Cayré
--- a/entity.py
+++ b/entity.py
@@ -1112,6 +1112,9 @@ class Entity(AppObject):
        # insert security RQL expressions granting the permission to 'add' the
        # relation into the rql syntax tree, if necessary
        rqlexprs = rdef.get_rqlexprs('add')
+        if not self.has_eid():
+            rqlexprs = [rqlexpr for rqlexpr in rqlexprs
+                        if searchedvar.name in rqlexpr.mainvars]
        if rqlexprs and not rdef.has_perm(self._cw, 'add', **sec_check_args):
            # compute a varmap suitable to RQLRewriter.rewrite argument
            varmap = dict((v, v) for v in (searchedvar.name, evar.name)

--- a/test/unittest_entity.py
+++ b/test/unittest_entity.py
@@ -28,7 +28,7 @@ from cubicweb.devtools.testlib import CubicWebTC
 from cubicweb.mttransforms import HAS_TAL
 from cubicweb.entities import fetch_config
 from cubicweb.uilib import soup2xhtml
-from cubicweb.schema import RQLVocabularyConstraint
+from cubicweb.schema import RQLVocabularyConstraint, RRQLExpression

 class EntityTC(CubicWebTC):

@@ -361,6 +361,18 @@ class EntityTC(CubicWebTC):
            'NOT (S connait AD, AD nom "toto"), AD is Personne, '
            'EXISTS(S travaille AE, AE nom "tutu")')

+    def test_unrelated_rql_security_rel_perms(self):
+        '''check `connait` add permission has no effect for a new entity on the
+        unrelated rql'''
+        rdef = self.schema['Personne'].rdef('connait')
+        perm_rrqle = RRQLExpression('U has_update_permission S')
+        with self.temporary_permissions((rdef, {'add': (perm_rrqle,)})):
+            person = self.vreg['etypes'].etype_class('Personne')(self.request())
+            rql = person.cw_unrelated_rql('connait', 'Personne', 'subject')[0]
+        self.assertEqual(rql, 'Any O,AA,AB,AC ORDERBY AC DESC WHERE '
+                         'O is Personne, O nom AA, O prenom AB, '
+                         'O modification_date AC')
+
    def test_unrelated_rql_constraints_edition_subject(self):
        person = self.request().create_entity('Personne', nom=u'sylvain')
        rql = person.cw_unrelated_rql('connait', 'Personne', 'subject')[0]