Mercurial Repository: p/roundup/code: roundup/rest.py comparison

comparison roundup/rest.py @ 5730:4aa26a9f3b47

Tighten up use of X-HTTP-Method-Override to only work with POST. Old method allowed PUT, DELETE .. to tunnel. Now I have no clue why you would tunnel DELETE or PATCH in PUT but...

author	John Rouillard <rouilj@ieee.org>
date	Sat, 25 May 2019 14:33:07 -0400
parents	9ea2ce9d10cf
children	058ef18af5fd

comparison

equal deleted inserted replaced

-:9ea2ce9d10cf
+:4aa26a9f3b47
 # Never allow GET to be an unsafe operation (i.e. data changing).
 # User must use POST to "tunnel" DELETE, PUT, OPTIONS etc.
 override = headers.get('X-HTTP-Method-Override')
 output = None
 if override:
-if method.upper() != 'GET':
+if method.upper() == 'POST':
 logger.debug(
 'Method overridden from %s to %s', method, override)
 method = override
 else:
 output = self.error_obj(400,
-"X-HTTP-Method-Override: %s can not be used with GET method. Use Post instead." % override)
+"X-HTTP-Method-Override: %s must be used with "
+"POST method not %s."% (override, method.upper()))
 logger.info(
-'Ignoring X-HTTP-Method-Override for GET request on %s',
+'Ignoring X-HTTP-Method-Override using %s request on %s',
-uri)
+method.upper(), uri)
 # parse Accept header and get the content type
 accept_header = parse_accept_header(headers.get('Accept'))
 accept_type = "invalid"
 for part in accept_header:

Mercurial > p > roundup > code

comparison roundup/rest.py @ 5730:4aa26a9f3b47