# HG changeset patch # User Sylvain Thénault # Date 1268328518 -3600 # Node ID 230ace4d68c002c7c053300e6bc6d9301d56e3f3 # Parent 5dd4a9a4626629fa8436e29cb55706ee232ce4cf [write security] we must check perm with read security disabled + add missing eid argument to check_perm diff -r 5dd4a9a46266 -r 230ace4d68c0 server/ssplanner.py --- a/server/ssplanner.py Tue Mar 09 14:38:41 2010 +0100 +++ b/server/ssplanner.py Thu Mar 11 18:28:38 2010 +0100 @@ -5,6 +5,8 @@ :contact: http://www.logilab.fr/ -- mailto:contact@logilab.fr :license: GNU Lesser General Public License, v2.1 - http://www.gnu.org/licenses """ +from __future__ import with_statement + __docformat__ = "restructuredtext en" from copy import copy @@ -15,6 +17,7 @@ from cubicweb import QueryError, typed_eid from cubicweb.schema import VIRTUAL_RTYPES from cubicweb.rqlrewrite import add_types_restriction +from cubicweb.server.session import security_enabled READ_ONLY_RTYPES = set(('eid', 'has_text', 'is', 'is_instance_of', 'identity')) @@ -58,12 +61,12 @@ the syntax tree """ session = plan.session - eschema = session.vreg.schema.eschema if rqlst.where is None: return {} eidconsts = {} neweids = session.transaction_data.get('neweids', ()) checkread = session.read_security + eschema = session.vreg.schema.eschema for rel in rqlst.where.get_nodes(Relation): if rel.r_type == 'eid' and not rel.neged(strict=True): lhs, rhs = rel.get_variable_parts() @@ -73,7 +76,9 @@ # the generated select substep if not emited (eg nothing # to be selected) if checkread and eid not in neweids: - eschema(session.describe(eid)[0]).check_perm(session, 'read') + with security_enabled(session, read=False): + eschema(session.describe(eid)[0]).check_perm( + session, 'read', eid=eid) eidconsts[lhs.variable] = eid return eidconsts