# HG changeset patch # User Sylvain Thénault # Date 1441780369 -7200 # Node ID a8b33789b982d09b366630d2e85b856fa3467083 # Parent a9e9daf7759891987d8b6d7257e8a06206b57329 [autoform] fix appearance of link to add inlined creation form On entity creation, if there are some local permissions on the relation, we have no way of checking them since neither the subject nor the object of the relation exists yet. In such a case, we should add the link by default, for consistency (see other places where we use `may_have_permission`). Closes #6711900 diff -r a9e9daf77598 -r a8b33789b982 web/test/unittest_views_editforms.py --- a/web/test/unittest_views_editforms.py Thu Oct 08 11:47:15 2015 +0200 +++ b/web/test/unittest_views_editforms.py Wed Sep 09 08:32:49 2015 +0200 @@ -20,6 +20,8 @@ from cubicweb.devtools.testlib import CubicWebTC from cubicweb.web.views import uicfg from cubicweb.web.formwidgets import AutoCompletionWidget +from cubicweb.schema import RRQLExpression + AFFK = uicfg.autoform_field_kwargs AFS = uicfg.autoform_section @@ -179,6 +181,29 @@ autoform = self.vreg['forms'].select('edition', req, entity=req.user) self.assertEqual(list(autoform.inlined_form_views()), []) + def test_check_inlined_rdef_permissions(self): + # try to check permissions when creating an entity ('user' below is a + # fresh entity without an eid) + with self.admin_access.web_request() as req: + ttype = 'EmailAddress' + rschema = self.schema['use_email'] + rdef = rschema.rdefs[('CWUser', ttype)] + tschema = self.schema[ttype] + role = 'subject' + with self.temporary_permissions((rdef, {'add': ()})): + user = self.vreg['etypes'].etype_class('CWUser')(req) + autoform = self.vreg['forms'].select('edition', req, entity=user) + self.assertFalse(autoform.check_inlined_rdef_permissions(rschema, role, + tschema, ttype)) + # we actually don't care about the actual expression, + # may_have_permission only checks the presence of such expressions + expr = RRQLExpression('S use_email O') + with self.temporary_permissions((rdef, {'add': (expr,)})): + user = self.vreg['etypes'].etype_class('CWUser')(req) + autoform = self.vreg['forms'].select('edition', req, entity=user) + self.assertTrue(autoform.check_inlined_rdef_permissions(rschema, role, + tschema, ttype)) + class FormViewsTC(CubicWebTC): diff -r a9e9daf77598 -r a8b33789b982 web/views/autoform.py --- a/web/views/autoform.py Thu Oct 08 11:47:15 2015 +0200 +++ b/web/views/autoform.py Wed Sep 09 08:32:49 2015 +0200 @@ -952,6 +952,8 @@ def check_inlined_rdef_permissions(self, rschema, role, tschema, ttype): """return true if permissions are granted on the inlined object and relation""" + if not tschema.has_perm(self._cw, 'add'): + return False entity = self.edited_entity rdef = entity.e_schema.rdef(rschema, role, ttype) if entity.has_eid(): @@ -959,10 +961,8 @@ rdefkwargs = {'fromeid': entity.eid} else: rdefkwargs = {'toeid': entity.eid} - else: - rdefkwargs = {} - return (tschema.has_perm(self._cw, 'add') - and rdef.has_perm(self._cw, 'add', **rdefkwargs)) + return rdef.has_perm(self._cw, 'add', **rdefkwargs) + return rdef.may_have_permission('add', self._cw) def should_hide_add_new_relation_link(self, rschema, card):