cubicweb #3670209 permissions checks in AjaxEditRelationCtxComponent may generate false negative [validation pending]
Permissions checks on the rdef are done quite early in the render_body method so that calls to rdef.has_perm() are done with a possibly incomplete context. Indeed, fromeid or toeid are not specified depending of the role, so that the underlying RRQLExpression.check() calls may be missing some context. (The fact that RRQLExpression.check returns False when the context is incomplete is another issue.) The result is that the js actions [+] and [-] may not be displayed even though the user has add/delete permissions on the relation. This will occur for instance with a RRQLExpression(S owned_by U) on the rdef with role='object' (only toeid is specified in that case).
I'd suggest doing the permission checks later, when a complete context is available.
|closed by||#136b5f995f8e Provide sufficient context to check 'delete' permission in AjaxEditRelationCtxComponent|
|patch||[tests/web] switch previous commit (136b5f995f8) to the new test api [applied]Provide sufficient context to check 'delete' permission in AjaxEditRelationCtxComponent [applied]|