# HG changeset patch
# User Sylvain Thénault <sylvain.thenault@logilab.fr>
# Date 1278408664 -7200
# Node ID 002af94623d3486acd3c3f8df669165bbfa487b1
# Parent  11cecbaeb7310dc86da83b915a6809d919d2396d
[selectors] relation_possible selector should check user may read target entity type when specified

diff -r 11cecbaeb731 -r 002af94623d3 selectors.py
--- a/selectors.py	Tue Jul 06 09:42:16 2010 +0200
+++ b/selectors.py	Tue Jul 06 11:31:04 2010 +0200
@@ -840,10 +840,13 @@
         if self.target_etype is not None:
             try:
                 rdef = rschema.role_rdef(eschema, self.target_etype, self.role)
-                if self.action and not rdef.may_have_permission(self.action, req):
-                    return 0
             except KeyError:
                 return 0
+            if self.action and not rdef.may_have_permission(self.action, req):
+                return 0
+            teschema = req.vreg.schema.eschema(self.target_etype)
+            if not teschema.may_have_permission('read', req):
+                return 0
         elif self.action:
             return rschema.may_have_permission(self.action, req, eschema, self.role)
         return 1
@@ -860,6 +863,10 @@
                     return 0
             elif not rschema.has_perm(entity._cw, self.action, toeid=entity.eid):
                 return 0
+        if self.target_etype is not None:
+            teschema = entity._cw.vreg.schema.eschema(self.target_etype)
+            if not teschema.may_have_permission('read', req):
+                return 0
         return 1