Mercurial > p > roundup > code
comparison roundup/rest.py @ 5864:5e8e160fe2a0
Fix security checks for individual properties
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Mon, 26 Aug 2019 08:15:02 +0200 |
| parents | 167ef847fcdf |
| children | 04deafac71ab |
comparison
equal
deleted
inserted
replaced
| 5863:e0df29c18be8 | 5864:5e8e160fe2a0 |
|---|---|
| 634 if class_name not in self.db.classes: | 634 if class_name not in self.db.classes: |
| 635 raise NotFound('Class %s not found' % class_name) | 635 raise NotFound('Class %s not found' % class_name) |
| 636 | 636 |
| 637 uid = self.db.getuid() | 637 uid = self.db.getuid() |
| 638 | 638 |
| 639 if not self.db.security.hasPermission( | 639 if not self.db.security.hasPermission('View', uid, class_name): |
| 640 'View', uid, class_name | |
| 641 ): | |
| 642 raise Unauthorised('Permission to view %s denied' % class_name) | 640 raise Unauthorised('Permission to view %s denied' % class_name) |
| 643 | 641 |
| 644 class_obj = self.db.getclass(class_name) | 642 class_obj = self.db.getclass(class_name) |
| 645 class_path = '%s/%s/' % (self.data_path, class_name) | 643 class_path = '%s/%s/' % (self.data_path, class_name) |
| 646 | 644 |
| 728 | 726 |
| 729 # extract result from data | 727 # extract result from data |
| 730 result={} | 728 result={} |
| 731 result['collection']=[] | 729 result['collection']=[] |
| 732 for item_id in obj_list: | 730 for item_id in obj_list: |
| 731 r = {} | |
| 733 if self.db.security.hasPermission( | 732 if self.db.security.hasPermission( |
| 734 'View', uid, class_name, itemid=item_id): | 733 'View', uid, class_name, itemid=item_id, property='id' |
| 734 ): | |
| 735 r = {'id': item_id, 'link': class_path + item_id} | 735 r = {'id': item_id, 'link': class_path + item_id} |
| 736 if display_props: | 736 if display_props : |
| 737 r.update(self.format_item(class_obj.getnode(item_id), | 737 for p in display_props: |
| 738 item_id, | 738 if self.db.security.hasPermission( |
| 739 props=display_props, | 739 'View', uid, class_name, itemid=item_id, property=p |
| 740 verbose=verbose)) | 740 ): |
| 741 r.update(self.format_item(class_obj.getnode(item_id), | |
| 742 item_id, props=display_props, verbose=verbose)) | |
| 743 if r: | |
| 741 result['collection'].append(r) | 744 result['collection'].append(r) |
| 742 | 745 |
| 743 result_len = len(result['collection']) | 746 result_len = len(result['collection']) |
| 744 | 747 |
| 745 # pagination - page_index from 1...N | 748 # pagination - page_index from 1...N |