Skip inserting assert_exists on required links inside access policies…

… bodies (#4695) When policies evaluation is suppressed, we don't need to worry about required links being broken. The fix was verified manually; the added test is to make sure this didn't prevent the check from being added *later*, where it *is* needed.
geldata · Nov 18, 2022 · 805f145 · 805f145
1 parent f38977a
commit 805f145
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 2 deletions.
diff --git a/edb/edgeql/compiler/setgen.py b/edb/edgeql/compiler/setgen.py
@@ -851,7 +851,8 @@ def needs_rewrite_existence_assertion(
     """
 
     return bool(
-        ptrcls.get_required(ctx.env.schema)
+        not ctx.suppress_rewrites
+        and ptrcls.get_required(ctx.env.schema)
         and direction == PtrDir.Outbound
         and (target := ptrcls.get_target(ctx.env.schema))
         and ctx.env.type_rewrites.get((target, False))

diff --git a/tests/test_edgeql_policies.py b/tests/test_edgeql_policies.py
@@ -223,7 +223,7 @@ async def test_edgeql_policies_04(self):
             ])
         )
 
-    async def test_edgeql_policies_05(self):
+    async def test_edgeql_policies_05a(self):
         await self.con.execute('''
             CREATE TYPE Tgt {
                 CREATE REQUIRED PROPERTY b -> bool;
@@ -308,6 +308,39 @@ async def test_edgeql_policies_05(self):
             [],
         )
 
+    async def test_edgeql_policies_05b(self):
+        await self.con.execute('''
+            CREATE TYPE Tgt {
+                CREATE REQUIRED PROPERTY b -> bool;
+
+                CREATE ACCESS POLICY redact
+                    ALLOW SELECT USING (not global filter_owned);
+                CREATE ACCESS POLICY dml_always
+                    ALLOW UPDATE, INSERT, DELETE;
+            };
+            CREATE TYPE Ptr {
+                CREATE REQUIRED LINK tgt -> Tgt;
+                CREATE PROPERTY tb := .tgt.b;
+                CREATE ACCESS POLICY redact
+                    ALLOW SELECT USING (.tgt.b);
+                CREATE ACCESS POLICY dml_always
+                    ALLOW UPDATE, INSERT, DELETE;
+            };
+        ''')
+        await self.con.query('''
+            insert Ptr { tgt := (insert Tgt { b := True }) };
+        ''')
+        await self.con.execute('''
+            set global filter_owned := True;
+        ''')
+
+        async with self.assertRaisesRegexTx(
+                edgedb.CardinalityViolationError,
+                r"is hidden by access policy"):
+            await self.con.query('''
+                select Ptr { tgt }
+            ''')
+
     async def test_edgeql_policies_06(self):
         await self.con.execute('''
             CREATE TYPE Tgt {