equal
deleted
inserted
replaced
83 for this variable (with the given solution). |
83 for this variable (with the given solution). |
84 """ |
84 """ |
85 # use `term_etype` since we've to deal with rewritten constants here, |
85 # use `term_etype` since we've to deal with rewritten constants here, |
86 # when used as an external source by another repository. |
86 # when used as an external source by another repository. |
87 # XXX what about local read security w/ those rewritten constants... |
87 # XXX what about local read security w/ those rewritten constants... |
|
88 DBG = (server.DEBUG & server.DBG_SEC) and 'read' in server._SECURITY_CAPS |
88 schema = session.repo.schema |
89 schema = session.repo.schema |
89 if rqlst.where is not None: |
90 if rqlst.where is not None: |
90 for rel in rqlst.where.iget_nodes(Relation): |
91 for rel in rqlst.where.iget_nodes(Relation): |
91 # XXX has_text may have specific perm ? |
92 # XXX has_text may have specific perm ? |
92 if rel.r_type in READ_ONLY_RTYPES: |
93 if rel.r_type in READ_ONLY_RTYPES: |
100 rdef = rschema.rdef(term_etype(session, rel.children[0], |
101 rdef = rschema.rdef(term_etype(session, rel.children[0], |
101 solution, args), |
102 solution, args), |
102 term_etype(session, rel.children[1].children[0], |
103 term_etype(session, rel.children[1].children[0], |
103 solution, args)) |
104 solution, args)) |
104 if not session.user.matching_groups(rdef.get_groups('read')): |
105 if not session.user.matching_groups(rdef.get_groups('read')): |
|
106 if DBG: |
|
107 print ('check_read_access: %s %s does not match %s' % |
|
108 (rdef, session.user.groups, rdef.get_groups('read'))) |
105 # XXX rqlexpr not allowed |
109 # XXX rqlexpr not allowed |
106 raise Unauthorized('read', rel.r_type) |
110 raise Unauthorized('read', rel.r_type) |
|
111 if DBG: |
|
112 print ('check_read_access: %s %s matches %s' % |
|
113 (rdef, session.user.groups, rdef.get_groups('read'))) |
107 localchecks = {} |
114 localchecks = {} |
108 # iterate on defined_vars and not on solutions to ignore column aliases |
115 # iterate on defined_vars and not on solutions to ignore column aliases |
109 for varname in rqlst.defined_vars: |
116 for varname in rqlst.defined_vars: |
110 eschema = schema.eschema(solution[varname]) |
117 eschema = schema.eschema(solution[varname]) |
111 if eschema.final: |
118 if eschema.final: |
113 if not session.user.matching_groups(eschema.get_groups('read')): |
120 if not session.user.matching_groups(eschema.get_groups('read')): |
114 erqlexprs = eschema.get_rqlexprs('read') |
121 erqlexprs = eschema.get_rqlexprs('read') |
115 if not erqlexprs: |
122 if not erqlexprs: |
116 ex = Unauthorized('read', solution[varname]) |
123 ex = Unauthorized('read', solution[varname]) |
117 ex.var = varname |
124 ex.var = varname |
|
125 if DBG: |
|
126 print ('check_read_access: %s %s %s %s' % |
|
127 (varname, eschema, session.user.groups, eschema.get_groups('read'))) |
118 raise ex |
128 raise ex |
119 # don't insert security on variable only referenced by 'NOT X relation Y' or |
129 # don't insert security on variable only referenced by 'NOT X relation Y' or |
120 # 'NOT EXISTS(X relation Y)' |
130 # 'NOT EXISTS(X relation Y)' |
121 varinfo = rqlst.defined_vars[varname].stinfo |
131 varinfo = rqlst.defined_vars[varname].stinfo |
122 if varinfo['selected'] or ( |
132 if varinfo['selected'] or ( |