[ssplanner] Prevent execution of write queries involving computed relations
Previously, setting a computed relation upon entity creation or
modification (using the ORM or an RQL query) would usually fail with an
operational error in the backend ("no such table"). However, under some
mysterious circumstances (like passing a string as value in cw_set for a
computed relation), the RQL to SQL transformation would simply drop the
clause.
To prevent this to happen, we add a check for computed relation before
adding a relation to an execution plan. This check raises a QueryError.
It happens in several places:
* in querier.InsertPlan.add_relation_def() (called from several places
in ssplanner steps) for INSERT queries,
* in ssplanner.UpdateStep.execute() for SET queries and,
* in ssplanner.SSplanner.build_delete_plan() for DELETE queries.
Tests added to unittest_querier.py because unittest_sslplanner.py looked
inappropriate (it has only unit tests) and the former already had a
NonRegressionTC class.
--- a/cubicweb/server/querier.py Thu Nov 30 11:00:01 2017 +0100
+++ b/cubicweb/server/querier.py Thu Nov 30 11:55:35 2017 +0100
@@ -347,6 +347,8 @@
def add_relation_def(self, rdef):
"""add an relation definition to build"""
edef, rtype, value = rdef
+ if self.schema[rtype].rule:
+ raise QueryError("'%s' is a computed relation" % rtype)
self.r_defs.add(rdef)
if not isinstance(edef, int):
self._r_subj_index.setdefault(edef, []).append(rdef)
--- a/cubicweb/server/ssplanner.py Thu Nov 30 11:00:01 2017 +0100
+++ b/cubicweb/server/ssplanner.py Thu Nov 30 11:55:35 2017 +0100
@@ -204,7 +204,10 @@
step.children += self._sel_variable_step(plan, rqlst, etype, var)
steps.append(step)
for relation in rqlst.main_relations:
- step = DeleteRelationsStep(plan, relation.r_type)
+ rtype = relation.r_type
+ if self.schema[rtype].rule:
+ raise QueryError("'%s' is a computed relation" % rtype)
+ step = DeleteRelationsStep(plan, rtype)
step.children += self._sel_relation_steps(plan, rqlst, relation)
steps.append(step)
return steps
@@ -493,6 +496,9 @@
for i, row in enumerate(result):
newrow = []
for (lhsinfo, rhsinfo, rschema) in self.updatedefs:
+ if rschema.rule:
+ raise QueryError("'%s' is a computed relation"
+ % rschema.type)
lhsval = _handle_relterm(lhsinfo, row, newrow)
rhsval = _handle_relterm(rhsinfo, row, newrow)
if rschema.final or rschema.inlined:
--- a/cubicweb/server/test/unittest_querier.py Thu Nov 30 11:00:01 2017 +0100
+++ b/cubicweb/server/test/unittest_querier.py Thu Nov 30 11:55:35 2017 +0100
@@ -19,6 +19,7 @@
"""unit tests for modules cubicweb.server.querier and cubicweb.server.ssplanner
"""
+from contextlib import contextmanager
from datetime import date, datetime, timedelta, tzinfo
import unittest
@@ -1667,5 +1668,33 @@
[[a1.eid]],
cnx.execute('Any A ORDERBY A WHERE U use_email A, U login "admin"').rows)
+ def test_computed_relation_in_write_queries(self):
+ """Computed relations are not allowed in main part of write queries."""
+ @contextmanager
+ def check(cnx):
+ with self.assertRaises(QueryError) as cm:
+ yield
+ self.assertIn("'user_login' is a computed relation",
+ str(cm.exception))
+ cnx.rollback()
+
+ with self.admin_access.cnx() as cnx:
+ person = cnx.create_entity('Personne', nom=u'p')
+ cnx.commit()
+ # create
+ with check(cnx):
+ cnx.execute('INSERT CWUser X: X login "user", X user_login P'
+ ' WHERE P is Personne, P nom "p"')
+ # update
+ bob = self.create_user(cnx, u'bob')
+ with check(cnx):
+ cnx.execute('SET U user_login P WHERE U login "bob", P nom "p"')
+ # delete
+ person.cw_set(login_user=bob)
+ cnx.commit()
+ with check(cnx):
+ cnx.execute('DELETE U user_login P WHERE U login "bob"')
+
+
if __name__ == '__main__':
unittest.main()