cubicweb #4482382 Security rewrite duplicates results in some case [in-progress]

Given a '?*' polymorphic relation of which object entities have different ERQLExpression based read permissions.

Querying the subject and optionally the object entity (with a '?') results in the result cardinality multiplied by the number of different read permissions, or so it seems.

Example schema:

class EFrom(EntityType):
    rel = SubjectRelation(
        ('ETo1', 'ETo2'), cardinality='?*', inlined=True)


class ETo1(EntityType):
    __permissions__ = {
        'add': ('managers',),
        'update': ('owners',),
        'read': (ERQLExpression('X owned_by U'),),
        'delete': ('owners',),
    }


class ETo2(EntityType):
    __permissions__ = {
        'add': ('managers',),
        'update': ('owners',),
        'read': (ERQLExpression('X created_by U'),),
        'delete': ('owners',),
    }

The following request will return several times the same entities:

Any X, Y WHERE X is EFrom, X rel Y?

The rewritten RQL gives us a clue, I guess the use of UNION is the cause:

(Any X,Y WHERE X is EFrom, X rel Y?
 WITH Y BEING (Any Y WHERE EXISTS(Y owned_by %(C)s), Y is ETo1))
UNION
(Any X,Y WHERE X is EFrom, X rel Y?
 WITH Y BEING (Any Y WHERE EXISTS(Y created_by %(E)s), Y is ETo2))
prioritynormal
typebug
done in<not specified>
closed by<not specified>
patchWIP [security] fix dark corner case of securty expression insertion [rejected]