cubicweb #3579277 entity.cw_unrelated_rql considers constraints involving unreadable relations [rejected]

Entity method cw_unrelated_rql iterates on rql constraints to be included in the resulting rql but does not check the permissions of relations involved in each constraint. Hence, even if an unreadable relation is involved in a constraint, the constraint will be included in the resulting rql.

This poses problem during the rendering of an edition form of an entity involving such constraints, because an Unauthorized is raised, despite the 'modify' action appears in primary view.

prioritynormal
typebug
done in<not specified>
load0.000
load left0.000
closed by<not specified>
patchCheck read permission of relations in constraints in cw_unrelated_rql entity method [rejected]

Workflow history

from state (4)to statecommentdateUser
in-progressrejected2016/03/15 10:37 UTCsthenault
waiting feedbackin-progress2016/03/15 10:37 UTCsthenault
in-progresswaiting feedback

Been discussed today.

We need the original application schema exhibiting the problem.

2014/05/16 12:57 UTCddouard
openin-progress2014/02/21 11:00 UTC 

Comments

  • 2014/03/07 13:51, written by dlaxalde

    Would it be possible to have this in 3.17.14?

    • 2014/03/09 18:26, written by fcayre

      I'd like to really understand its purpose beforehand. I am afraid I need an example... would you try to describe one here?

    • 2014/03/10 09:33, written by fcayre

      Looks like there is a design flaw in the schema of the client application, which can be solved in another way.

      This does however not imply that the patch is wrong, but since there seems to be no valid use case right now, I would not integrate it so quickly.

  • 2014/12/09 10:30, written by acampeas

    Looks like the "an Unauthorized is raised" is the real issue here.

add comment

Ticket #3579277 - latest update on 2016/03/15, created on 2014/02/21 by Denis Laxalde