# HG changeset patch # User Sylvain Thénault # Date 1442412257 -7200 # Node ID ec97974b9010d202138a0bda953549017b695309 # Parent 3f24adbf971ac4252c48da4b5ddb737efbe1a41e make sync_schema_props_perms() work as expected It currently ends up with an ExecutionError while we want to synchronize permissions. This makes 3.21.1 migration of any application using computed relation crashing. Also, remove pre 3.6 compat code in hooks that prevent living schema update on computed relation's permission changes. diff -r 3f24adbf971a -r ec97974b9010 hooks/syncschema.py --- a/hooks/syncschema.py Thu Oct 08 13:51:54 2015 +0200 +++ b/hooks/syncschema.py Wed Sep 16 16:04:17 2015 +0200 @@ -905,11 +905,6 @@ # duh, schema not found, log error and skip operation self.warning('no schema for %s', self.eid) return - if isinstance(erschema, RelationSchema): # XXX 3.6 migration - return - if isinstance(erschema, RelationDefinitionSchema) and \ - self.action in ('delete', 'add'): # XXX 3.6.1 migration - return perms = list(erschema.action_permissions(self.action)) if self.group_eid is not None: perm = self.cnx.entity_from_eid(self.group_eid).name diff -r 3f24adbf971a -r ec97974b9010 server/migractions.py --- a/server/migractions.py Thu Oct 08 13:51:54 2015 +0200 +++ b/server/migractions.py Wed Sep 16 16:04:17 2015 +0200 @@ -458,7 +458,10 @@ assert reporschema.eid, reporschema self.rqlexecall(ss.updaterschema2rql(rschema, reporschema.eid), ask_confirm=self.verbosity>=2) - if syncrdefs: + if rschema.rule: + if syncperms: + self._synchronize_permissions(rschema, reporschema.eid) + elif syncrdefs: for subj, obj in rschema.rdefs: if (subj, obj) not in reporschema.rdefs: continue @@ -572,6 +575,7 @@ against its current definition: * order and other properties * constraints + * permissions """ subjtype, objtype = str(subjtype), str(objtype) rschema = self.fs_schema.rschema(rtype) diff -r 3f24adbf971a -r ec97974b9010 server/test/datacomputed/migratedapp/schema.py --- a/server/test/datacomputed/migratedapp/schema.py Thu Oct 08 13:51:54 2015 +0200 +++ b/server/test/datacomputed/migratedapp/schema.py Wed Sep 16 16:04:17 2015 +0200 @@ -59,3 +59,8 @@ class renamed(ComputedRelation): rule = 'S employees E, O concerns E' + + +class perm_changes(ComputedRelation): + __permissions__ = {'read': ('managers',)} + rule = 'S employees E, O concerns E' diff -r 3f24adbf971a -r ec97974b9010 server/test/datacomputed/schema.py --- a/server/test/datacomputed/schema.py Thu Oct 08 13:51:54 2015 +0200 +++ b/server/test/datacomputed/schema.py Wed Sep 16 16:04:17 2015 +0200 @@ -58,3 +58,8 @@ class to_be_renamed(ComputedRelation): rule = 'S employees E, O concerns E' + + +class perm_changes(ComputedRelation): + __permissions__ = {'read': ('managers', 'users')} + rule = 'S employees E, O concerns E' diff -r 3f24adbf971a -r ec97974b9010 server/test/unittest_migractions.py --- a/server/test/unittest_migractions.py Thu Oct 08 13:51:54 2015 +0200 +++ b/server/test/unittest_migractions.py Wed Sep 16 16:04:17 2015 +0200 @@ -784,6 +784,20 @@ self.assertEqual(self.schema['whatever'].subjects(), ('Company',)) self.assertFalse(self.table_sql(mh, 'whatever_relation')) + def test_computed_relation_sync_schema_props_perms_security(self): + with self.mh() as (cnx, mh): + rdef = next(self.schema['perm_changes'].rdefs.itervalues()) + self.assertEqual(rdef.permissions, + {'add': (), 'delete': (), + 'read': ('managers', 'users')}) + mh.cmd_sync_schema_props_perms('perm_changes') + self.assertEqual(self.schema['perm_changes'].permissions, + {'read': ('managers',)}) + rdef = next(self.schema['perm_changes'].rdefs.itervalues()) + self.assertEqual(rdef.permissions, + {'add': (), 'delete': (), + 'read': ('managers',)}) + def test_computed_relation_sync_schema_props_perms_on_rdef(self): self.assertIn('whatever', self.schema) with self.mh() as (cnx, mh):