[selectors] relation_possible selector should check user may read target entity type when specified stable
authorSylvain Thénault <sylvain.thenault@logilab.fr>
Tue, 06 Jul 2010 11:31:04 +0200
branchstable
changeset 5900 002af94623d3
parent 5899 11cecbaeb731
child 5901 782b27eaf97a
child 5903 aa01eb033620
[selectors] relation_possible selector should check user may read target entity type when specified
selectors.py
--- a/selectors.py	Tue Jul 06 09:42:16 2010 +0200
+++ b/selectors.py	Tue Jul 06 11:31:04 2010 +0200
@@ -840,10 +840,13 @@
         if self.target_etype is not None:
             try:
                 rdef = rschema.role_rdef(eschema, self.target_etype, self.role)
-                if self.action and not rdef.may_have_permission(self.action, req):
-                    return 0
             except KeyError:
                 return 0
+            if self.action and not rdef.may_have_permission(self.action, req):
+                return 0
+            teschema = req.vreg.schema.eschema(self.target_etype)
+            if not teschema.may_have_permission('read', req):
+                return 0
         elif self.action:
             return rschema.may_have_permission(self.action, req, eschema, self.role)
         return 1
@@ -860,6 +863,10 @@
                     return 0
             elif not rschema.has_perm(entity._cw, self.action, toeid=entity.eid):
                 return 0
+        if self.target_etype is not None:
+            teschema = entity._cw.vreg.schema.eschema(self.target_etype)
+            if not teschema.may_have_permission('read', req):
+                return 0
         return 1