diff -r 1169d3154be6 -r 7ca53fc72a0a server/querier.py
--- a/server/querier.py	Wed Nov 18 09:16:38 2009 +0100
+++ b/server/querier.py	Thu Nov 19 12:55:47 2009 +0100
@@ -71,14 +71,23 @@
             # XXX has_text may have specific perm ?
             if rel.r_type in READ_ONLY_RTYPES:
                 continue
-            if not schema.rschema(rel.r_type).has_access(user, 'read'):
+            rschema = schema.rschema(rel.r_type)
+            if rschema.final:
+                eschema = schema.eschema(solution[rel.children[0].name])
+                rdef = eschema.rdef(rschema)
+            else:
+                rdef = rschema.rdef(solution[rel.children[0].name],
+                                    solution[rel.children[1].children[0].name])
+            if not user.matching_groups(rdef.get_groups('read')):
                 raise Unauthorized('read', rel.r_type)
     localchecks = {}
     # iterate on defined_vars and not on solutions to ignore column aliases
     for varname in rqlst.defined_vars:
         etype = solution[varname]
         eschema = schema.eschema(etype)
-        if not eschema.has_access(user, 'read'):
+        if eschema.final:
+            continue
+        if not user.matching_groups(eschema.get_groups('read')):
             erqlexprs = eschema.get_rqlexprs('read')
             if not erqlexprs:
                 ex = Unauthorized('read', etype)