diff -r b718626a0e60 -r 13b0b96d7982 server/querier.py --- a/server/querier.py Mon Mar 08 19:02:35 2010 +0100 +++ b/server/querier.py Tue Mar 09 08:59:43 2010 +0100 @@ -6,6 +6,8 @@ :contact: http://www.logilab.fr/ -- mailto:contact@logilab.fr :license: GNU Lesser General Public License, v2.1 - http://www.gnu.org/licenses """ +from __future__ import with_statement + __docformat__ = "restructuredtext en" from itertools import repeat @@ -23,7 +25,7 @@ from cubicweb.server.utils import cleanup_solutions from cubicweb.server.rqlannotation import SQLGenAnnotator, set_qdata from cubicweb.server.ssplanner import READ_ONLY_RTYPES, add_types_restriction - +from cubicweb.server.session import security_enabled def empty_rset(rql, args, rqlst=None): """build an empty result set object""" @@ -200,8 +202,11 @@ return rqlst to actually execute """ noinvariant = set() - if security and not self.session.is_super_session: - self._insert_security(union, noinvariant) + if security and self.session.read_security: + # ensure security is turned of when security is inserted, + # else we may loop for ever... + with security_enabled(self.session, read=False): + self._insert_security(union, noinvariant) self.rqlhelper.simplify(union) self.sqlannotate(union) set_qdata(self.schema.rschema, union, noinvariant) @@ -299,7 +304,6 @@ note: rqlst should not have been simplified at this point """ - assert not self.session.is_super_session user = self.session.user schema = self.schema msgs = [] @@ -601,14 +605,14 @@ self._rql_cache[cachekey] = rqlst orig_rqlst = rqlst if not rqlst.TYPE == 'select': - if not session.is_super_session: + if session.read_security: check_no_password_selected(rqlst) # write query, ensure session's mode is 'write' so connections # won't be released until commit/rollback session.mode = 'write' cachekey = None else: - if not session.is_super_session: + if session.read_security: for select in rqlst.children: check_no_password_selected(select) # on select query, always copy the cached rqlst so we don't have to