equal
deleted
inserted
replaced
27 |
27 |
28 from logilab.common.cache import Cache |
28 from logilab.common.cache import Cache |
29 from logilab.common.compat import any |
29 from logilab.common.compat import any |
30 from rql import RQLSyntaxError |
30 from rql import RQLSyntaxError |
31 from rql.stmts import Union, Select |
31 from rql.stmts import Union, Select |
32 from rql.nodes import Relation, VariableRef, Constant, SubQuery, Function |
32 from rql.nodes import (Relation, VariableRef, Constant, SubQuery, Function, |
|
33 Exists, Not) |
33 |
34 |
34 from cubicweb import Unauthorized, QueryError, UnknownEid, typed_eid |
35 from cubicweb import Unauthorized, QueryError, UnknownEid, typed_eid |
35 from cubicweb import server |
36 from cubicweb import server |
36 from cubicweb.rset import ResultSet |
37 from cubicweb.rset import ResultSet |
37 |
38 |
111 erqlexprs = eschema.get_rqlexprs('read') |
112 erqlexprs = eschema.get_rqlexprs('read') |
112 if not erqlexprs: |
113 if not erqlexprs: |
113 ex = Unauthorized('read', solution[varname]) |
114 ex = Unauthorized('read', solution[varname]) |
114 ex.var = varname |
115 ex.var = varname |
115 raise ex |
116 raise ex |
116 localchecks[varname] = erqlexprs |
117 # don't insert security on variable only referenced by 'NOT X relation Y' or |
|
118 # 'NOT EXISTS(X relation Y)' |
|
119 varinfo = rqlst.defined_vars[varname].stinfo |
|
120 if varinfo['selected'] or ( |
|
121 len([r for r in varinfo['relations'] |
|
122 if (not schema.rschema(r.r_type).final |
|
123 and ((isinstance(r.parent, Exists) and r.parent.neged(strict=True)) |
|
124 or isinstance(r.parent, Not)))]) |
|
125 != len(varinfo['relations'])): |
|
126 localchecks[varname] = erqlexprs |
117 return localchecks |
127 return localchecks |
118 |
128 |
119 def add_noinvariant(noinvariant, restricted, select, nbtrees): |
129 def add_noinvariant(noinvariant, restricted, select, nbtrees): |
120 # a variable can actually be invariant if it has not been restricted for |
130 # a variable can actually be invariant if it has not been restricted for |
121 # security reason or if security assertion hasn't modified the possible |
131 # security reason or if security assertion hasn't modified the possible |