73 strict = False |
73 strict = False |
74 for rschema, targetschemas, role in eschema.relation_definitions(True): |
74 for rschema, targetschemas, role in eschema.relation_definitions(True): |
75 # check category first, potentially lower cost than checking |
75 # check category first, potentially lower cost than checking |
76 # permission which may imply rql queries |
76 # permission which may imply rql queries |
77 if categories is not None: |
77 if categories is not None: |
78 targetschemas = [tschema for tschema in targetschemas |
78 _targetschemas = [] |
79 if rtags.etype_get(eschema, rschema, role, tschema) in categories] |
79 for tschema in targetschemas: |
80 if not targetschemas: |
80 if not rtags.etype_get(eschema, rschema, role, tschema) in categories: |
|
81 continue |
|
82 rdef = rschema.role_rdef(eschema, tschema, role) |
|
83 if not ((not strict and rdef.has_local_role(permission)) or |
|
84 rdef.has_perm(entity.req, permission, fromeid=eid)): |
|
85 continue |
|
86 _targetschemas.append(tschema) |
|
87 if not _targetschemas: |
81 continue |
88 continue |
|
89 targetschemas = _targetschemas |
82 if permission is not None: |
90 if permission is not None: |
83 # tag allowing to hijack the permission machinery when |
91 # tag allowing to hijack the permission machinery when |
84 # permission is not verifiable until the entity is actually |
92 # permission is not verifiable until the entity is actually |
85 # created... |
93 # created... |
86 if eid is None and '%s_on_new' % permission in permsoverrides.etype_get(eschema, rschema, role): |
94 if eid is None and '%s_on_new' % permission in permsoverrides.etype_get(eschema, rschema, role): |
87 yield (rschema, targetschemas, role) |
95 yield (rschema, targetschemas, role) |
88 continue |
96 continue |
89 if rschema.final: |
97 if rschema.final: |
90 if not rschema.has_perm(entity.req, permission, eid): |
98 if not eschema.rdef(rschema).has_perm(entity.req, permission, eid=eid): |
91 continue |
99 continue |
92 elif role == 'subject': |
100 elif role == 'subject': |
93 if not ((not strict and rschema.has_local_role(permission)) or |
|
94 rschema.has_perm(entity.req, permission, fromeid=eid)): |
|
95 continue |
|
96 # on relation with cardinality 1 or ?, we need delete perm as well |
101 # on relation with cardinality 1 or ?, we need delete perm as well |
97 # if the relation is already set |
102 # if the relation is already set |
98 if (permission == 'add' |
103 if (permission == 'add' |
99 and rschema.cardinality(eschema, targetschemas[0], role) in '1?' |
104 and rschema.rdef(eschema, targetschemas[0]).role_cardinality(role) in '1?' |
100 and eid and entity.related(rschema.type, role) |
105 and eid and entity.related(rschema.type, role) |
101 and not rschema.has_perm(entity.req, 'delete', fromeid=eid, |
106 and not rschema.has_perm(entity.req, 'delete', fromeid=eid, |
102 toeid=entity.related(rschema.type, role)[0][0])): |
107 toeid=entity.related(rschema.type, role)[0][0])): |
103 continue |
108 continue |
104 elif role == 'object': |
109 elif role == 'object': |
105 if not ((not strict and rschema.has_local_role(permission)) or |
|
106 rschema.has_perm(entity.req, permission, toeid=eid)): |
|
107 continue |
|
108 # on relation with cardinality 1 or ?, we need delete perm as well |
110 # on relation with cardinality 1 or ?, we need delete perm as well |
109 # if the relation is already set |
111 # if the relation is already set |
110 if (permission == 'add' |
112 if (permission == 'add' |
111 and rschema.cardinality(targetschemas[0], eschema, role) in '1?' |
113 and rschema.rdef(targetschemas[0], eschema).role_cardinality(role) in '1?' |
112 and eid and entity.related(rschema.type, role) |
114 and eid and entity.related(rschema.type, role) |
113 and not rschema.has_perm(entity.req, 'delete', toeid=eid, |
115 and not rschema.has_perm(entity.req, 'delete', toeid=eid, |
114 fromeid=entity.related(rschema.type, role)[0][0])): |
116 fromeid=entity.related(rschema.type, role)[0][0])): |
115 continue |
117 continue |
116 yield (rschema, targetschemas, role) |
118 yield (rschema, targetschemas, role) |