auto-delete relation with single cardinality using execute, not unsafe_execute, so permissions are correctly checked
--- a/server/repository.py Tue Feb 23 20:22:40 2010 +0100
+++ b/server/repository.py Tue Feb 23 20:23:46 2010 +0100
@@ -113,14 +113,17 @@
# the web interface but may occurs during test or dbapi connection (though
# not expected for this). So: don't do it, we pretend to ensure repository
# consistency.
+ #
+ # also, we must not use unsafe_execute since we want the delete permission
+ # to be checked when some existing relation is deleted
if card[0] in '1?':
rschema = session.repo.schema.rschema(rtype)
if not rschema.inlined: # inlined relations will be implicitly deleted
- session.unsafe_execute('DELETE X %s Y WHERE X eid %%(x)s, NOT Y eid %%(y)s' % rtype,
- {'x': eidfrom, 'y': eidto}, 'x')
+ session.execute('DELETE X %s Y WHERE X eid %%(x)s, NOT Y eid %%(y)s' % rtype,
+ {'x': eidfrom, 'y': eidto}, 'x')
if card[1] in '1?':
- session.unsafe_execute('DELETE X %s Y WHERE NOT X eid %%(x)s, Y eid %%(y)s' % rtype,
- {'x': eidfrom, 'y': eidto}, 'y')
+ session.execute('DELETE X %s Y WHERE NOT X eid %%(x)s, Y eid %%(y)s' % rtype,
+ {'x': eidfrom, 'y': eidto}, 'y')
class Repository(object):
--- a/sobjects/test/unittest_email.py Tue Feb 23 20:22:40 2010 +0100
+++ b/sobjects/test/unittest_email.py Tue Feb 23 20:23:46 2010 +0100
@@ -46,10 +46,10 @@
self.commit()
cnx = self.login('toto')
cu = cnx.cursor()
- cu.execute('SET U primary_email E WHERE E eid %(e)s, U login "toto"',
- {'e': email1})
- self.assertRaises(Unauthorized, cnx.commit)
-
+ self.assertRaises(Unauthorized,
+ cu.execute, 'SET U primary_email E WHERE E eid %(e)s, U login "toto"',
+ {'e': email1})
+ cnx.close()
if __name__ == '__main__':
from logilab.common.testlib import unittest_main