cubicweb #3579277 entity.cw_unrelated_rql considers constraints involving unreadable relations [rejected]
Entity method cw_unrelated_rql iterates on rql constraints to be included in the resulting rql but does not check the permissions of relations involved in each constraint. Hence, even if an unreadable relation is involved in a constraint, the constraint will be included in the resulting rql. This poses problem during the rendering of an edition form of an entity involving such constraints, because an Unauthorized is raised, despite the 'modify' action appears in primary view. | |
priority | normal |
---|---|
type | bug |
done in | <not specified> |
load | 0.000 |
load left | 0.000 |
closed by | <not specified> |
patch | Check read permission of relations in constraints in cw_unrelated_rql entity method [rejected] |
Comments
-
2014/03/07 13:51, written by dlaxalde
-
2014/03/09 18:26, written by fcayre
-
2014/03/10 09:33, written by fcayre
-
2014/12/09 10:30, written by acampeas
add commentWould it be possible to have this in 3.17.14?
I'd like to really understand its purpose beforehand. I am afraid I need an example... would you try to describe one here?
Looks like there is a design flaw in the schema of the client application, which can be solved in another way.
This does however not imply that the patch is wrong, but since there seems to be no valid use case right now, I would not integrate it so quickly.
Looks like the "an Unauthorized is raised" is the real issue here.