Commit 60762a01 authored by Denis Laxalde's avatar Denis Laxalde
Browse files

[ssplanner] Prevent execution of write queries involving computed relations

Previously, setting a computed relation upon entity creation or
modification (using the ORM or an RQL query) would usually fail with an
operational error in the backend ("no such table"). However, under some
mysterious circumstances (like passing a string as value in cw_set for a
computed relation), the RQL to SQL transformation would simply drop the
clause.

To prevent this to happen, we add a check for computed relation before
adding a relation to an execution plan. This check raises a QueryError.
It happens in several places:

* in querier.InsertPlan.add_relation_def() (called from several places
  in ssplanner steps) for INSERT queries,
* in ssplanner.UpdateStep.execute() for SET queries and,
* in ssplanner.SSplanner.build_delete_plan() for DELETE queries.

Tests added to unittest_querier.py because unittest_sslplanner.py looked
inappropriate (it has only unit tests) and the former already had a
NonRegressionTC class.
parent 06deb43c23c3
......@@ -347,6 +347,8 @@ class InsertPlan(ExecutionPlan):
def add_relation_def(self, rdef):
"""add an relation definition to build"""
edef, rtype, value = rdef
if self.schema[rtype].rule:
raise QueryError("'%s' is a computed relation" % rtype)
self.r_defs.add(rdef)
if not isinstance(edef, int):
self._r_subj_index.setdefault(edef, []).append(rdef)
......
......@@ -204,7 +204,10 @@ class SSPlanner(object):
step.children += self._sel_variable_step(plan, rqlst, etype, var)
steps.append(step)
for relation in rqlst.main_relations:
step = DeleteRelationsStep(plan, relation.r_type)
rtype = relation.r_type
if self.schema[rtype].rule:
raise QueryError("'%s' is a computed relation" % rtype)
step = DeleteRelationsStep(plan, rtype)
step.children += self._sel_relation_steps(plan, rqlst, relation)
steps.append(step)
return steps
......@@ -493,6 +496,9 @@ class UpdateStep(Step):
for i, row in enumerate(result):
newrow = []
for (lhsinfo, rhsinfo, rschema) in self.updatedefs:
if rschema.rule:
raise QueryError("'%s' is a computed relation"
% rschema.type)
lhsval = _handle_relterm(lhsinfo, row, newrow)
rhsval = _handle_relterm(rhsinfo, row, newrow)
if rschema.final or rschema.inlined:
......
......@@ -19,6 +19,7 @@
"""unit tests for modules cubicweb.server.querier and cubicweb.server.ssplanner
"""
from contextlib import contextmanager
from datetime import date, datetime, timedelta, tzinfo
import unittest
......@@ -1667,5 +1668,33 @@ class NonRegressionTC(CubicWebTC):
[[a1.eid]],
cnx.execute('Any A ORDERBY A WHERE U use_email A, U login "admin"').rows)
def test_computed_relation_in_write_queries(self):
"""Computed relations are not allowed in main part of write queries."""
@contextmanager
def check(cnx):
with self.assertRaises(QueryError) as cm:
yield
self.assertIn("'user_login' is a computed relation",
str(cm.exception))
cnx.rollback()
with self.admin_access.cnx() as cnx:
person = cnx.create_entity('Personne', nom=u'p')
cnx.commit()
# create
with check(cnx):
cnx.execute('INSERT CWUser X: X login "user", X user_login P'
' WHERE P is Personne, P nom "p"')
# update
bob = self.create_user(cnx, u'bob')
with check(cnx):
cnx.execute('SET U user_login P WHERE U login "bob", P nom "p"')
# delete
person.cw_set(login_user=bob)
cnx.commit()
with check(cnx):
cnx.execute('DELETE U user_login P WHERE U login "bob"')
if __name__ == '__main__':
unittest.main()
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment