# HG changeset patch # User Sylvain Thénault # Date 1341577873 -7200 # Node ID 113184eb4e068ad4b4ef32dd48942488c229c761 # Parent 11063635c4e41e0e8f354860c93dfe2580e0f4ef# Parent f441056a2b61aa76ca6e016e7ddf79352191b87d backport stable diff -r 11063635c4e4 -r 113184eb4e06 __pkginfo__.py diff -r 11063635c4e4 -r 113184eb4e06 debian/control diff -r 11063635c4e4 -r 113184eb4e06 devtools/devctl.py --- a/devtools/devctl.py Fri Jul 06 09:00:33 2012 +0200 +++ b/devtools/devctl.py Fri Jul 06 14:31:13 2012 +0200 @@ -726,7 +726,7 @@ min_args = max_args = 1 options = [ ('output-file', - {'type':'file', 'default': None, + {'type':'string', 'default': None, 'metavar': '', 'short':'o', 'help':'output image file', 'input':False, }), diff -r 11063635c4e4 -r 113184eb4e06 rqlrewrite.py --- a/rqlrewrite.py Fri Jul 06 09:00:33 2012 +0200 +++ b/rqlrewrite.py Fri Jul 06 14:31:13 2012 +0200 @@ -77,12 +77,26 @@ mytyperel = None possibletypes = allpossibletypes[varname] if mytyperel is not None: - # variable as already some types restriction. new possible types - # can only be a subset of existing ones, so only remove no more - # possible types - for cst in mytyperel.get_nodes(n.Constant): - if not cst.value in possibletypes: - cst.parent.remove(cst) + if mytyperel.r_type == 'is_instance_of': + # turn is_instance_of relation into a is relation since we've + # all possible solutions and don't want to bother with + # potential is_instance_of incompatibility + mytyperel.r_type = 'is' + if len(possibletypes) > 1: + node = n.Function('IN') + for etype in possibletypes: + node.append(n.Constant(etype, 'etype')) + else: + node = n.Constant(etype, 'etype') + comp = mytyperel.children[1] + comp.replace(comp.children[0], node) + else: + # variable has already some strict types restriction. new + # possible types can only be a subset of existing ones, so only + # remove no more possible types + for cst in mytyperel.get_nodes(n.Constant): + if not cst.value in possibletypes: + cst.parent.remove(cst) else: # we have to add types restriction if stinfo.get('scope') is not None: diff -r 11063635c4e4 -r 113184eb4e06 server/test/unittest_security.py --- a/server/test/unittest_security.py Fri Jul 06 09:00:33 2012 +0200 +++ b/server/test/unittest_security.py Fri Jul 06 14:31:13 2012 +0200 @@ -23,8 +23,10 @@ from cubicweb.devtools.testlib import CubicWebTC from cubicweb import Unauthorized, ValidationError, QueryError +from cubicweb.schema import ERQLExpression from cubicweb.server.querier import check_read_access + class BaseSecurityTC(CubicWebTC): def setup_database(self): @@ -468,6 +470,28 @@ cnx.rollback() cnx.close() + def test_yams_inheritance_and_security_bug(self): + oldperms = self.schema['Division'].permissions + try: + self.schema['Division'].permissions = { + 'read': ('managers', ERQLExpression('X owned_by U')), + 'add': ('managers', 'users'), + 'update': ('managers', 'owners'), + 'delete': ('managers', 'owners')} + self.login('iaminusersgrouponly') + querier = self.repo.querier + rqlst = querier.parse('Any X WHERE X is_instance_of Societe') + querier.solutions(self.session, rqlst, {}) + querier._annotate(rqlst) + plan = querier.plan_factory(rqlst, {}, self.session) + plan.preprocess(rqlst) + self.assertEqual( + rqlst.as_string(), + '(Any X WHERE X is IN(SubDivision, Societe)) UNION (Any X WHERE X is Division, EXISTS(X owned_by %(B)s))') + finally: + self.schema['Division'].permissions = oldperms + + class BaseSchemaSecurityTC(BaseSecurityTC): """tests related to the base schema permission configuration"""