[entity] fix unrelated_rql for creation form vocabulary for relation with specific permissions (closes #2423854)
--- a/entity.py Tue Jul 17 12:06:52 2012 +0200
+++ b/entity.py Wed Jul 18 17:26:59 2012 +0200
@@ -1112,6 +1112,9 @@
# insert security RQL expressions granting the permission to 'add' the
# relation into the rql syntax tree, if necessary
rqlexprs = rdef.get_rqlexprs('add')
+ if not self.has_eid():
+ rqlexprs = [rqlexpr for rqlexpr in rqlexprs
+ if searchedvar.name in rqlexpr.mainvars]
if rqlexprs and not rdef.has_perm(self._cw, 'add', **sec_check_args):
# compute a varmap suitable to RQLRewriter.rewrite argument
varmap = dict((v, v) for v in (searchedvar.name, evar.name)
--- a/test/unittest_entity.py Tue Jul 17 12:06:52 2012 +0200
+++ b/test/unittest_entity.py Wed Jul 18 17:26:59 2012 +0200
@@ -28,7 +28,7 @@
from cubicweb.mttransforms import HAS_TAL
from cubicweb.entities import fetch_config
from cubicweb.uilib import soup2xhtml
-from cubicweb.schema import RQLVocabularyConstraint
+from cubicweb.schema import RQLVocabularyConstraint, RRQLExpression
class EntityTC(CubicWebTC):
@@ -361,6 +361,18 @@
'NOT (S connait AD, AD nom "toto"), AD is Personne, '
'EXISTS(S travaille AE, AE nom "tutu")')
+ def test_unrelated_rql_security_rel_perms(self):
+ '''check `connait` add permission has no effect for a new entity on the
+ unrelated rql'''
+ rdef = self.schema['Personne'].rdef('connait')
+ perm_rrqle = RRQLExpression('U has_update_permission S')
+ with self.temporary_permissions((rdef, {'add': (perm_rrqle,)})):
+ person = self.vreg['etypes'].etype_class('Personne')(self.request())
+ rql = person.cw_unrelated_rql('connait', 'Personne', 'subject')[0]
+ self.assertEqual(rql, 'Any O,AA,AB,AC ORDERBY AC DESC WHERE '
+ 'O is Personne, O nom AA, O prenom AB, '
+ 'O modification_date AC')
+
def test_unrelated_rql_constraints_edition_subject(self):
person = self.request().create_entity('Personne', nom=u'sylvain')
rql = person.cw_unrelated_rql('connait', 'Personne', 'subject')[0]