# HG changeset patch
# User Sylvain Thénault <sylvain.thenault@logilab.fr>
# Date 1261148359 -3600
# Node ID 7484546271766cbc3dc1c35acaab95e6b65e75dc
# Parent  40624a708dd4f9ec8ec98aa08a84f423d23c9be1
cubicweb security #36257: les urls /add/EntityName sont accessibles en anonyme

diff -r 40624a708dd4 -r 748454627176 selectors.py
--- a/selectors.py	Fri Dec 18 13:28:20 2009 +0100
+++ b/selectors.py	Fri Dec 18 15:59:19 2009 +0100
@@ -621,7 +621,12 @@
                     req.form['etype'] = etype
                 except KeyError:
                     return 0
-        return self.score_class(cls.vreg['etypes'].etype_class(etype), req)
+        score = self.score_class(cls.vreg['etypes'].etype_class(etype), req)
+        if score:
+            eschema = req.vreg.schema.eschema(etype)
+            if eschema.has_local_role('add') or eschema.has_perm(req, 'add'):
+                return score
+        return 0
 
 
 class entity_implements(ImplementsMixIn, EntitySelector):