equal
deleted
inserted
replaced
27 |
27 |
28 from logilab.common.cache import Cache |
28 from logilab.common.cache import Cache |
29 from logilab.common.compat import any |
29 from logilab.common.compat import any |
30 from rql import RQLSyntaxError |
30 from rql import RQLSyntaxError |
31 from rql.stmts import Union, Select |
31 from rql.stmts import Union, Select |
32 from rql.nodes import Relation, VariableRef, Constant, SubQuery |
32 from rql.nodes import Relation, VariableRef, Constant, SubQuery, Exists, Not |
33 |
33 |
34 from cubicweb import Unauthorized, QueryError, UnknownEid, typed_eid |
34 from cubicweb import Unauthorized, QueryError, UnknownEid, typed_eid |
35 from cubicweb import server |
35 from cubicweb import server |
36 from cubicweb.rset import ResultSet |
36 from cubicweb.rset import ResultSet |
37 |
37 |
110 erqlexprs = eschema.get_rqlexprs('read') |
110 erqlexprs = eschema.get_rqlexprs('read') |
111 if not erqlexprs: |
111 if not erqlexprs: |
112 ex = Unauthorized('read', solution[varname]) |
112 ex = Unauthorized('read', solution[varname]) |
113 ex.var = varname |
113 ex.var = varname |
114 raise ex |
114 raise ex |
115 localchecks[varname] = erqlexprs |
115 # don't insert security on variable only referenced by 'NOT X relation Y' or |
|
116 # 'NOT EXISTS(X relation Y)' |
|
117 varinfo = rqlst.defined_vars[varname].stinfo |
|
118 if varinfo['selected'] or ( |
|
119 len([r for r in varinfo['relations'] |
|
120 if (not schema.rschema(r.r_type).final |
|
121 and ((isinstance(r.parent, Exists) and r.parent.neged(strict=True)) |
|
122 or isinstance(r.parent, Not)))]) |
|
123 != len(varinfo['relations'])): |
|
124 localchecks[varname] = erqlexprs |
116 return localchecks |
125 return localchecks |
117 |
126 |
118 def add_noinvariant(noinvariant, restricted, select, nbtrees): |
127 def add_noinvariant(noinvariant, restricted, select, nbtrees): |
119 # a variable can actually be invariant if it has not been restricted for |
128 # a variable can actually be invariant if it has not been restricted for |
120 # security reason or if security assertion hasn't modified the possible |
129 # security reason or if security assertion hasn't modified the possible |