Commit 8b374ca2 authored by Denis Laxalde's avatar Denis Laxalde
Browse files

Provide sufficient context to check 'delete' permission in AjaxEditRelationCtxComponent

Call rdef.check only when both fromeid and toeid are available. Though only
call it once (for the first encountered related entity).
Factorize a bit to keep handling of CSS/JS addition the same.

Closes #3670209.
parent ab956b780d4e
......@@ -598,27 +598,41 @@ class AjaxEditRelationCtxComponent(EntityCtxComponent):
w(self.rdef.rtype.display_name(self._cw, self.role,
def add_js_css(self):
self._cw.add_js(('jquery.ui.js', 'cubicweb.widgets.js'))
self._cw.add_js(('cubicweb.ajax.js', ''))
return True
def render_body(self, w):
req = self._cw
entity = self.entity
related = entity.related(self.rtype, self.role)
if self.role == 'subject':
mayadd = self.rdef.has_perm(req, 'add', fromeid=entity.eid)
maydel = self.rdef.has_perm(req, 'delete', fromeid=entity.eid)
mayadd = self.rdef.has_perm(req, 'add', toeid=entity.eid)
maydel = self.rdef.has_perm(req, 'delete', toeid=entity.eid)
if mayadd or maydel:
req.add_js(('jquery.ui.js', 'cubicweb.widgets.js'))
req.add_js(('cubicweb.ajax.js', ''))
js_css_added = False
if mayadd:
js_css_added = self.add_js_css()
_ = req._
if related:
maydel = None
w(u'<table class="ajaxEditRelationTable">')
for rentity in related.entities():
if maydel is None:
# Only check permission for the first related.
if self.role == 'subject':
fromeid, toeid = entity.eid, rentity.eid
fromeid, toeid = rentity.eid, entity.eid
maydel = self.rdef.has_perm(
req, 'delete', fromeid=fromeid, toeid=toeid)
# for each related entity, provide a link to remove the relation
subview = rentity.view(self.item_vid)
if maydel:
if not js_css_added:
js_css_added = self.add_js_css()
jscall = unicode(js.ajaxBoxRemoveLinkedEntity(
self.__regid__, entity.eid, rentity.eid,
......@@ -31,6 +31,7 @@ from logilab.common.testlib import unittest_main
from logilab.common.decorators import monkeypatch
from cubicweb import Binary, NoSelectableObject, ValidationError
from cubicweb.schema import RRQLExpression
from cubicweb.devtools.testlib import CubicWebTC
from cubicweb.utils import json_dumps
from cubicweb.uilib import rql_for_eid
......@@ -808,6 +809,22 @@ class AjaxControllerTC(CubicWebTC):
req.execute('Any N WHERE T tags P, P is CWUser, T name N').rows,
def test_maydel_perms(self):
"""Check that AjaxEditRelationCtxComponent calls rdef.check with a
sufficient context"""
self.remote_call('tag_entity', self.john.eid, ['python'])
with self.temporary_permissions(
(self.schema['tags'].rdefs['Tag', 'CWUser'],
{'delete': (RRQLExpression('S owned_by U'), )}, )):
req = self.request(rql='CWUser P WHERE P login "John"',
pageid='123', fname='view')
ctrl = self.ctrl(req)
rset = self.john.as_rset()
rset.req = req
source = ctrl.publish()
# maydel jscall
self.assertIn('ajaxBoxRemoveLinkedEntity', source)
def test_pending_insertion(self):
with self.remote_calling('add_pending_inserts', [['12', 'tags', '13']]) as (_, req):
deletes = get_pending_deletes(req)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment