Commit 3641ace0 authored by Florent Cayré's avatar Florent Cayré
Browse files

[entity] fix unrelated_rql for creation form vocabulary for relation with...

[entity] fix unrelated_rql for creation form vocabulary for relation with specific permissions (closes #2423854)

--HG--
branch : stable
parent 05992aa3fc0d
......@@ -1112,6 +1112,9 @@ class Entity(AppObject):
# insert security RQL expressions granting the permission to 'add' the
# relation into the rql syntax tree, if necessary
rqlexprs = rdef.get_rqlexprs('add')
if not self.has_eid():
rqlexprs = [rqlexpr for rqlexpr in rqlexprs
if searchedvar.name in rqlexpr.mainvars]
if rqlexprs and not rdef.has_perm(self._cw, 'add', **sec_check_args):
# compute a varmap suitable to RQLRewriter.rewrite argument
varmap = dict((v, v) for v in (searchedvar.name, evar.name)
......
......@@ -28,7 +28,7 @@ from cubicweb.devtools.testlib import CubicWebTC
from cubicweb.mttransforms import HAS_TAL
from cubicweb.entities import fetch_config
from cubicweb.uilib import soup2xhtml
from cubicweb.schema import RQLVocabularyConstraint
from cubicweb.schema import RQLVocabularyConstraint, RRQLExpression
class EntityTC(CubicWebTC):
......@@ -361,6 +361,18 @@ class EntityTC(CubicWebTC):
'NOT (S connait AD, AD nom "toto"), AD is Personne, '
'EXISTS(S travaille AE, AE nom "tutu")')
def test_unrelated_rql_security_rel_perms(self):
'''check `connait` add permission has no effect for a new entity on the
unrelated rql'''
rdef = self.schema['Personne'].rdef('connait')
perm_rrqle = RRQLExpression('U has_update_permission S')
with self.temporary_permissions((rdef, {'add': (perm_rrqle,)})):
person = self.vreg['etypes'].etype_class('Personne')(self.request())
rql = person.cw_unrelated_rql('connait', 'Personne', 'subject')[0]
self.assertEqual(rql, 'Any O,AA,AB,AC ORDERBY AC DESC WHERE '
'O is Personne, O nom AA, O prenom AB, '
'O modification_date AC')
def test_unrelated_rql_constraints_edition_subject(self):
person = self.request().create_entity('Personne', nom=u'sylvain')
rql = person.cw_unrelated_rql('connait', 'Personne', 'subject')[0]
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment