# HG changeset patch # User Florent Cayré # Date 1342625219 -7200 # Node ID 444a8e25c940e76aa3f3409d8d699362461e05f7 # Parent 05992aa3fc0d802f4c4474979e882b1b82d721d8 [entity] fix unrelated_rql for creation form vocabulary for relation with specific permissions (closes #2423854) diff -r 05992aa3fc0d -r 444a8e25c940 entity.py --- a/entity.py Tue Jul 17 12:06:52 2012 +0200 +++ b/entity.py Wed Jul 18 17:26:59 2012 +0200 @@ -1112,6 +1112,9 @@ # insert security RQL expressions granting the permission to 'add' the # relation into the rql syntax tree, if necessary rqlexprs = rdef.get_rqlexprs('add') + if not self.has_eid(): + rqlexprs = [rqlexpr for rqlexpr in rqlexprs + if searchedvar.name in rqlexpr.mainvars] if rqlexprs and not rdef.has_perm(self._cw, 'add', **sec_check_args): # compute a varmap suitable to RQLRewriter.rewrite argument varmap = dict((v, v) for v in (searchedvar.name, evar.name) diff -r 05992aa3fc0d -r 444a8e25c940 test/unittest_entity.py --- a/test/unittest_entity.py Tue Jul 17 12:06:52 2012 +0200 +++ b/test/unittest_entity.py Wed Jul 18 17:26:59 2012 +0200 @@ -28,7 +28,7 @@ from cubicweb.mttransforms import HAS_TAL from cubicweb.entities import fetch_config from cubicweb.uilib import soup2xhtml -from cubicweb.schema import RQLVocabularyConstraint +from cubicweb.schema import RQLVocabularyConstraint, RRQLExpression class EntityTC(CubicWebTC): @@ -361,6 +361,18 @@ 'NOT (S connait AD, AD nom "toto"), AD is Personne, ' 'EXISTS(S travaille AE, AE nom "tutu")') + def test_unrelated_rql_security_rel_perms(self): + '''check `connait` add permission has no effect for a new entity on the + unrelated rql''' + rdef = self.schema['Personne'].rdef('connait') + perm_rrqle = RRQLExpression('U has_update_permission S') + with self.temporary_permissions((rdef, {'add': (perm_rrqle,)})): + person = self.vreg['etypes'].etype_class('Personne')(self.request()) + rql = person.cw_unrelated_rql('connait', 'Personne', 'subject')[0] + self.assertEqual(rql, 'Any O,AA,AB,AC ORDERBY AC DESC WHERE ' + 'O is Personne, O nom AA, O prenom AB, ' + 'O modification_date AC') + def test_unrelated_rql_constraints_edition_subject(self): person = self.request().create_entity('Personne', nom=u'sylvain') rql = person.cw_unrelated_rql('connait', 'Personne', 'subject')[0]