16 # You should have received a copy of the GNU Lesser General Public License along |
16 # You should have received a copy of the GNU Lesser General Public License along |
17 # with CubicWeb. If not, see <http://www.gnu.org/licenses/>. |
17 # with CubicWeb. If not, see <http://www.gnu.org/licenses/>. |
18 """Helper classes to execute RQL queries on a set of sources, performing |
18 """Helper classes to execute RQL queries on a set of sources, performing |
19 security checking and data aggregation. |
19 security checking and data aggregation. |
20 """ |
20 """ |
|
21 from __future__ import print_function |
|
22 |
21 __docformat__ = "restructuredtext en" |
23 __docformat__ = "restructuredtext en" |
22 |
24 |
23 from itertools import repeat |
25 from itertools import repeat |
24 |
26 |
25 from rql import RQLSyntaxError, CoercionError |
27 from rql import RQLSyntaxError, CoercionError |
101 solution, args), |
103 solution, args), |
102 term_etype(cnx, rel.children[1].children[0], |
104 term_etype(cnx, rel.children[1].children[0], |
103 solution, args)) |
105 solution, args)) |
104 if not user.matching_groups(rdef.get_groups('read')): |
106 if not user.matching_groups(rdef.get_groups('read')): |
105 if DBG: |
107 if DBG: |
106 print ('check_read_access: %s %s does not match %s' % |
108 print('check_read_access: %s %s does not match %s' % |
107 (rdef, user.groups, rdef.get_groups('read'))) |
109 (rdef, user.groups, rdef.get_groups('read'))) |
108 # XXX rqlexpr not allowed |
110 # XXX rqlexpr not allowed |
109 raise Unauthorized('read', rel.r_type) |
111 raise Unauthorized('read', rel.r_type) |
110 if DBG: |
112 if DBG: |
111 print ('check_read_access: %s %s matches %s' % |
113 print('check_read_access: %s %s matches %s' % |
112 (rdef, user.groups, rdef.get_groups('read'))) |
114 (rdef, user.groups, rdef.get_groups('read'))) |
113 |
115 |
114 def get_local_checks(cnx, rqlst, solution): |
116 def get_local_checks(cnx, rqlst, solution): |
115 """Check that the given user has credentials to access data read by the |
117 """Check that the given user has credentials to access data read by the |
116 query and return a dict defining necessary "local checks" (i.e. rql |
118 query and return a dict defining necessary "local checks" (i.e. rql |
117 expression in read permission defined in the schema) where no group grants |
119 expression in read permission defined in the schema) where no group grants |
136 erqlexprs = eschema.get_rqlexprs('read') |
138 erqlexprs = eschema.get_rqlexprs('read') |
137 if not erqlexprs: |
139 if not erqlexprs: |
138 ex = Unauthorized('read', solution[varname]) |
140 ex = Unauthorized('read', solution[varname]) |
139 ex.var = varname |
141 ex.var = varname |
140 if DBG: |
142 if DBG: |
141 print ('check_read_access: %s %s %s %s' % |
143 print('check_read_access: %s %s %s %s' % |
142 (varname, eschema, user.groups, eschema.get_groups('read'))) |
144 (varname, eschema, user.groups, eschema.get_groups('read'))) |
143 raise ex |
145 raise ex |
144 # don't insert security on variable only referenced by 'NOT X relation Y' or |
146 # don't insert security on variable only referenced by 'NOT X relation Y' or |
145 # 'NOT EXISTS(X relation Y)' |
147 # 'NOT EXISTS(X relation Y)' |
146 varinfo = rqlst.defined_vars[varname].stinfo |
148 varinfo = rqlst.defined_vars[varname].stinfo |
147 if varinfo['selected'] or ( |
149 if varinfo['selected'] or ( |
537 always use substitute arguments in queries (i.e. avoid query such as |
539 always use substitute arguments in queries (i.e. avoid query such as |
538 'Any X WHERE X eid 123'!) |
540 'Any X WHERE X eid 123'!) |
539 """ |
541 """ |
540 if server.DEBUG & (server.DBG_RQL | server.DBG_SQL): |
542 if server.DEBUG & (server.DBG_RQL | server.DBG_SQL): |
541 if server.DEBUG & (server.DBG_MORE | server.DBG_SQL): |
543 if server.DEBUG & (server.DBG_MORE | server.DBG_SQL): |
542 print '*'*80 |
544 print('*'*80) |
543 print 'querier input', repr(rql), repr(args) |
545 print('querier input', repr(rql), repr(args)) |
544 # parse the query and binds variables |
546 # parse the query and binds variables |
545 cachekey = (rql,) |
547 cachekey = (rql,) |
546 try: |
548 try: |
547 if args: |
549 if args: |
548 # search for named args in query which are eids (hence |
550 # search for named args in query which are eids (hence |