From 98f05980bd5c62f53614914f52a53278894ea4e7 Mon Sep 17 00:00:00 2001
From: Quartermaster <qm@ahss.se>
Date: Fri, 20 May 2022 11:52:57 +0200
Subject: [PATCH] Fix s3_has_permission for method lists/tuples, fix unit test

---
 VERSION                                      |  2 +-
 modules/core/aaa/auth.py                     | 17 ++++++++++-------
 modules/unit_tests/core/resource/resource.py |  3 ++-
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/VERSION b/VERSION
index bc5d22224e..d59def5259 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-4.4-140-g4195decac (2022-05-19 14:22:03)
+4.4-143-g82ffe2b42 (2022-05-20 11:52:57)
diff --git a/modules/core/aaa/auth.py b/modules/core/aaa/auth.py
index ad91a46b0d..af73bc7ea4 100644
--- a/modules/core/aaa/auth.py
+++ b/modules/core/aaa/auth.py
@@ -4720,8 +4720,6 @@ def s3_has_permission(self, method, table, record_id=None, c=None, f=None):
         if self.override:
             return True
 
-        sr = self.get_system_roles()
-
         if not hasattr(table, "_tablename"):
             tablename = table
             table = current.s3db.table(tablename, db_only=True)
@@ -4732,22 +4730,27 @@ def s3_has_permission(self, method, table, record_id=None, c=None, f=None):
 
         policy = current.deployment_settings.get_security_policy()
 
+        if isinstance(method, (list, tuple)) and policy not in (3, 4, 5, 6, 7):
+            return all(self.s3_has_permission(m, table, record_id=record_id, c=c, f=f) for m in method)
+
+        sr = self.get_system_roles()
         permission = self.permission
-        required = permission.METHODS.get(method) or 0
 
         # Simple policy
         if policy == 1:
-            # Anonymous users can Read.
+            required = permission.METHODS.get(method) or 0
             if required == permission.READ:
+                # All users can read, including anonymous users
                 authorised = True
             else:
-                # Authentication required for Create/Update/Delete.
+                # Authentication required for all other methods
                 authorised = self.s3_logged_in()
 
         # Editor policy
         elif policy == 2:
+            required = permission.METHODS.get(method) or 0
             if required == permission.READ:
-                # Anonymous users can read
+                # All users can read, including anonymous users
                 authorised = True
             elif required == permission.CREATE or \
                  record_id == 0 and required == permission.UPDATE:
@@ -4766,7 +4769,7 @@ def s3_has_permission(self, method, table, record_id=None, c=None, f=None):
                         authorised = True
 
         # Use S3Permission
-        elif policy in (3, 4, 5, 6, 7, 8):
+        elif policy in (3, 4, 5, 6, 7):
             authorised = permission.has_permission(method,
                                                    c = c,
                                                    f = f,
diff --git a/modules/unit_tests/core/resource/resource.py b/modules/unit_tests/core/resource/resource.py
index a43094dd43..0783e6b3c9 100644
--- a/modules/unit_tests/core/resource/resource.py
+++ b/modules/unit_tests/core/resource/resource.py
@@ -2743,6 +2743,8 @@ def testURLQueryWithFilteredComponent(self):
         auth = current.auth
         s3db = current.s3db
 
+        auth.override = True
+
         org_organisation = s3db.org_organisation
         org_test_office = s3db.org_office.with_alias("org_test_office")
 
@@ -2766,7 +2768,6 @@ def testURLQueryWithFilteredComponent(self):
                     str(org_test_office.name.lower().like("xyz%")))
 
         # Add the query to the resource
-        auth.override = True
         resource.add_filter(query.test[0])
         rfilter = resource.rfilter