Make permission filter functions configurable

For debugging and performance measurements it makes sense to allow
turning permission filter functions off.

Author: schlatterbeck

roundup/configuration.py

@@ -1462,6 +1462,17 @@ def str2value(self, value):
     ("rdbms", (
         (DatabaseBackend, 'backend', NODEFAULT,
             "Database backend."),
+        (BooleanOption, "debug_filter", "no",
+	    "Filter debugging: Permissions can define additional filter\n"
+            "functions that are used when checking permissions on results\n"
+            "returned by the database. This is done to improve\n"
+            "performance since the filtering is done in the database\n"
+            "backend, not in python (at least for the SQL backends). The\n"
+            "user is responsible for making the filter return the same\n"
+            "set of results as the check function for a permission. So it\n"
+            "makes sense to aid in debugging (and performance\n"
+            "measurements) to allow turning off the usage of filter\n"
+            "functions using only the check functions."),
         (Option, 'name', 'roundup',
             "Name of the database to use. For Postgresql, this can\n"
             "be database.schema to use a specific schema within\n"
@@ -1545,8 +1556,8 @@ def str2value(self, value):
             "Set the database cursor for filter queries to serverside\n"
             "cursor, this avoids caching large amounts of data in the\n"
             "client. This option only applies for the postgresql backend."),
-    ), "Settings in this section (except for backend) are used\n"
-        " by RDBMS backends only.",
+    ), "Most settings in this section (except for backend and debug_filter)\n"
+       "are used by RDBMS backends only.",
     ),
     ("sessiondb", (
         (SessiondbBackendOption, "backend", "",

roundup/hyperdb.py

@@ -1820,11 +1820,12 @@ def filter_with_permissions(self, search_matches, filterspec, sort=[],
         if check(permission, userid, cn, only_no_check = True):
             allowed = item_ids
         else:
+            debug = self.db.config.RDBMS_DEBUG_FILTER
             # Note that is_filterable returns True if no permissions are
             # found. This makes it fail early (with an empty allowed list)
             # instead of running through all ids with an empty
             # permission list.
-            if sec.is_filterable(permission, userid, cn):
+            if not debug and sec.is_filterable(permission, userid, cn):
                 new_ids = set(item_ids)
                 confirmed = set()
                 for perm in sec.filter_iter(permission, userid, cn):

test/db_test_base.py

@@ -3033,6 +3033,22 @@ def filter(db, userid, klass):
         # User may see own and public queries
         self.assertEqual(r, ['5', '6', '4', '3', '2', '1'])
 
+    def testFilteringWithPermissionFilterFunctionOff(self):
+        view_query = self.setupQuery()
+
+        def filter(db, userid, klass):
+            return [dict(filterspec = dict(private_for=['-1', userid]))]
+        perm = self.db.security.addPermission
+        p = perm(name='View', klass='query', check=view_query, filter=filter)
+        self.db.security.addPermissionToRole("User", p)
+        # Turn filtering off
+        self.db.config.RDBMS_DEBUG_FILTER = True
+        filt = self.db.query.filter_with_permissions
+
+        r = filt(None, {}, sort=[('+', 'name')])
+        # User may see own and public queries
+        self.assertEqual(r, ['5', '6', '4', '3', '2', '1'])
+
 # XXX add sorting tests for other types
 
     # nuke and re-create db for restore