--- a/devtools/devctl.py	Fri Jul 06 09:00:33 2012 +0200
+++ b/devtools/devctl.py	Fri Jul 06 14:31:13 2012 +0200
@@ -726,7 +726,7 @@
     min_args = max_args = 1
     options = [
         ('output-file',
-         {'type':'file', 'default': None,
+         {'type':'string', 'default': None,
           'metavar': '<file>', 'short':'o', 'help':'output image file',
           'input':False,
           }),

--- a/rqlrewrite.py	Fri Jul 06 09:00:33 2012 +0200
+++ b/rqlrewrite.py	Fri Jul 06 14:31:13 2012 +0200
@@ -77,12 +77,26 @@
                 mytyperel = None
         possibletypes = allpossibletypes[varname]
         if mytyperel is not None:
-            # variable as already some types restriction. new possible types
-            # can only be a subset of existing ones, so only remove no more
-            # possible types
-            for cst in mytyperel.get_nodes(n.Constant):
-                if not cst.value in possibletypes:
-                    cst.parent.remove(cst)
+            if mytyperel.r_type == 'is_instance_of':
+                # turn is_instance_of relation into a is relation since we've
+                # all possible solutions and don't want to bother with
+                # potential is_instance_of incompatibility
+                mytyperel.r_type = 'is'
+                if len(possibletypes) > 1:
+                    node = n.Function('IN')
+                    for etype in possibletypes:
+                        node.append(n.Constant(etype, 'etype'))
+                else:
+                    node = n.Constant(etype, 'etype')
+                comp = mytyperel.children[1]
+                comp.replace(comp.children[0], node)
+            else:
+                # variable has already some strict types restriction. new
+                # possible types can only be a subset of existing ones, so only
+                # remove no more possible types
+                for cst in mytyperel.get_nodes(n.Constant):
+                    if not cst.value in possibletypes:
+                        cst.parent.remove(cst)
         else:
             # we have to add types restriction
             if stinfo.get('scope') is not None:

--- a/server/test/unittest_security.py	Fri Jul 06 09:00:33 2012 +0200
+++ b/server/test/unittest_security.py	Fri Jul 06 14:31:13 2012 +0200
@@ -23,8 +23,10 @@
 from cubicweb.devtools.testlib import CubicWebTC
 
 from cubicweb import Unauthorized, ValidationError, QueryError
+from cubicweb.schema import ERQLExpression
 from cubicweb.server.querier import check_read_access
 
+
 class BaseSecurityTC(CubicWebTC):
 
     def setup_database(self):
@@ -468,6 +470,28 @@
         cnx.rollback()
         cnx.close()
 
+    def test_yams_inheritance_and_security_bug(self):
+        oldperms = self.schema['Division'].permissions
+        try:
+            self.schema['Division'].permissions = {
+                'read': ('managers', ERQLExpression('X owned_by U')),
+                'add': ('managers', 'users'),
+                'update': ('managers', 'owners'),
+                'delete': ('managers', 'owners')}
+            self.login('iaminusersgrouponly')
+            querier = self.repo.querier
+            rqlst = querier.parse('Any X WHERE X is_instance_of Societe')
+            querier.solutions(self.session, rqlst, {})
+            querier._annotate(rqlst)
+            plan = querier.plan_factory(rqlst, {}, self.session)
+            plan.preprocess(rqlst)
+            self.assertEqual(
+                rqlst.as_string(),
+                '(Any X WHERE X is IN(SubDivision, Societe)) UNION (Any X WHERE X is Division, EXISTS(X owned_by %(B)s))')
+        finally:
+            self.schema['Division'].permissions = oldperms
+
+
 class BaseSchemaSecurityTC(BaseSecurityTC):
     """tests related to the base schema permission configuration"""