Mercurial > p > roundup > code
comparison roundup/xmlrpc.py @ 3937:3c3077582c16
Add security checks and tests for xmlrpc interface.
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Sat, 03 Nov 2007 00:50:38 +0000 |
| parents | c31da624ae3b |
| children | 85cbaa50eba1 |
comparison
equal
deleted
inserted
replaced
| 3936:63d58cc1394a | 3937:3c3077582c16 |
|---|---|
| 47 username and password.""" | 47 username and password.""" |
| 48 | 48 |
| 49 self.tracker = tracker | 49 self.tracker = tracker |
| 50 self.db = self.tracker.open('admin') | 50 self.db = self.tracker.open('admin') |
| 51 try: | 51 try: |
| 52 userid = self.db.user.lookup(username) | 52 self.userid = self.db.user.lookup(username) |
| 53 except KeyError: # No such user | 53 except KeyError: # No such user |
| 54 self.db.close() | 54 self.db.close() |
| 55 raise Unauthorised, 'Invalid user.' | 55 raise Unauthorised, 'Invalid user' |
| 56 stored = self.db.user.get(userid, 'password') | 56 stored = self.db.user.get(self.userid, 'password') |
| 57 if stored != password: # Wrong password | 57 if stored != password: |
| 58 # Wrong password | |
| 58 self.db.close() | 59 self.db.close() |
| 59 raise Unauthorised, 'Invalid user.' | 60 raise Unauthorised, 'Invalid user' |
| 60 self.db.setCurrentUser(username) | 61 self.db.setCurrentUser(username) |
| 61 | 62 |
| 62 def close(self): | 63 def close(self): |
| 63 """Close the database, after committing any changes, if needed.""" | 64 """Close the database, after committing any changes, if needed.""" |
| 64 | 65 |
| 110 | 111 |
| 111 def __init__(self, tracker, verbose = False): | 112 def __init__(self, tracker, verbose = False): |
| 112 self.tracker = roundup.instance.open(tracker) | 113 self.tracker = roundup.instance.open(tracker) |
| 113 self.verbose = verbose | 114 self.verbose = verbose |
| 114 | 115 |
| 115 def list(self, username, password, classname, propname = None): | 116 def list(self, username, password, classname, propname=None): |
| 116 | |
| 117 r = RoundupRequest(self.tracker, username, password) | 117 r = RoundupRequest(self.tracker, username, password) |
| 118 cl = r.get_class(classname) | 118 cl = r.get_class(classname) |
| 119 if not propname: | 119 if not propname: |
| 120 propname = cl.labelprop() | 120 propname = cl.labelprop() |
| 121 result = [cl.get(id, propname) for id in cl.list()] | 121 def has_perm(itemid): |
| 122 return True | |
| 123 r.db.security.hasPermission('View', r.userid, classname, | |
| 124 itemid=itemid, property=propname) | |
| 125 result = [cl.get(id, propname) for id in cl.list() | |
| 126 if has_perm(id)] | |
| 122 r.close() | 127 r.close() |
| 123 return result | 128 return result |
| 124 | 129 |
| 125 def display(self, username, password, designator, *properties): | 130 def display(self, username, password, designator, *properties): |
| 131 r = RoundupRequest(self.tracker, username, password) | |
| 132 classname, itemid = hyperdb.splitDesignator(designator) | |
| 126 | 133 |
| 127 r = RoundupRequest(self.tracker, username, password) | 134 if not r.db.security.hasPermission('View', r.userid, classname, |
| 128 classname, nodeid = hyperdb.splitDesignator(designator) | 135 itemid=itemid): |
| 136 raise Unauthorised('Permission to view %s denied'%designator) | |
| 137 | |
| 129 cl = r.get_class(classname) | 138 cl = r.get_class(classname) |
| 130 props = properties and list(properties) or cl.properties.keys() | 139 props = properties and list(properties) or cl.properties.keys() |
| 131 props.sort() | 140 props.sort() |
| 132 result = [(property, cl.get(nodeid, property)) for property in props] | 141 result = [(property, cl.get(itemid, property)) for property in props] |
| 133 r.close() | 142 r.close() |
| 134 return dict(result) | 143 return dict(result) |
| 135 | 144 |
| 136 def create(self, username, password, classname, *args): | 145 def create(self, username, password, classname, *args): |
| 146 r = RoundupRequest(self.tracker, username, password) | |
| 137 | 147 |
| 138 r = RoundupRequest(self.tracker, username, password) | 148 if not r.db.security.hasPermission('Create', r.userid, classname): |
| 149 raise Unauthorised('Permission to create %s denied'%classname) | |
| 150 | |
| 139 cl = r.get_class(classname) | 151 cl = r.get_class(classname) |
| 140 | 152 |
| 141 # convert types | 153 # convert types |
| 142 props = r.props_from_args(cl, args) | 154 props = r.props_from_args(cl, args) |
| 143 | 155 |
| 155 finally: | 167 finally: |
| 156 r.close() | 168 r.close() |
| 157 return result | 169 return result |
| 158 | 170 |
| 159 def set(self, username, password, designator, *args): | 171 def set(self, username, password, designator, *args): |
| 160 | |
| 161 r = RoundupRequest(self.tracker, username, password) | 172 r = RoundupRequest(self.tracker, username, password) |
| 162 classname, itemid = hyperdb.splitDesignator(designator) | 173 classname, itemid = hyperdb.splitDesignator(designator) |
| 174 | |
| 175 if not r.db.security.hasPermission('Edit', r.userid, classname, | |
| 176 itemid=itemid): | |
| 177 raise Unauthorised('Permission to edit %s denied'%designator) | |
| 178 | |
| 163 cl = r.get_class(classname) | 179 cl = r.get_class(classname) |
| 164 | 180 |
| 165 # convert types | 181 # convert types |
| 166 props = r.props_from_args(cl, args) | 182 props = r.props_from_args(cl, args) |
| 167 try: | 183 try: |