69 if rqlst.where is not None: |
69 if rqlst.where is not None: |
70 for rel in rqlst.where.iget_nodes(Relation): |
70 for rel in rqlst.where.iget_nodes(Relation): |
71 # XXX has_text may have specific perm ? |
71 # XXX has_text may have specific perm ? |
72 if rel.r_type in READ_ONLY_RTYPES: |
72 if rel.r_type in READ_ONLY_RTYPES: |
73 continue |
73 continue |
74 if not schema.rschema(rel.r_type).has_access(user, 'read'): |
74 rschema = schema.rschema(rel.r_type) |
|
75 if rschema.final: |
|
76 eschema = schema.eschema(solution[rel.children[0].name]) |
|
77 rdef = eschema.rdef(rschema) |
|
78 else: |
|
79 rdef = rschema.rdef(solution[rel.children[0].name], |
|
80 solution[rel.children[1].children[0].name]) |
|
81 if not user.matching_groups(rdef.get_groups('read')): |
75 raise Unauthorized('read', rel.r_type) |
82 raise Unauthorized('read', rel.r_type) |
76 localchecks = {} |
83 localchecks = {} |
77 # iterate on defined_vars and not on solutions to ignore column aliases |
84 # iterate on defined_vars and not on solutions to ignore column aliases |
78 for varname in rqlst.defined_vars: |
85 for varname in rqlst.defined_vars: |
79 etype = solution[varname] |
86 etype = solution[varname] |
80 eschema = schema.eschema(etype) |
87 eschema = schema.eschema(etype) |
81 if not eschema.has_access(user, 'read'): |
88 if eschema.final: |
|
89 continue |
|
90 if not user.matching_groups(eschema.get_groups('read')): |
82 erqlexprs = eschema.get_rqlexprs('read') |
91 erqlexprs = eschema.get_rqlexprs('read') |
83 if not erqlexprs: |
92 if not erqlexprs: |
84 ex = Unauthorized('read', etype) |
93 ex = Unauthorized('read', etype) |
85 ex.var = varname |
94 ex.var = varname |
86 raise ex |
95 raise ex |