Mercurial > p > roundup > code

comparison doc/rest.txt @ 5879:94a7669677ae

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
add permissions to control user of rest and xmlrpc API interfaces. issue2551058: Add new permissions: 'Rest Access' and 'Xmlrpc Access' to allow per-user access control to rest and xmlrpc interfaces using roles. Updated all schemas to add these new perms to all authenticated roles. Error conditions in handle_xmlrpc were not working right in manual testing. I tried to make it a little better, but I don't actually understand how the fault xmlrpc object is supposed to be used. So I may have messed something up. I'll try to ping the people who wrote the xmlrpc code to have them review.
author John Rouillard <rouilj@ieee.org>
date Fri, 27 Sep 2019 23:29:59 -0400
parents 1b57d8f3eb97
children da417bab5cb8
comparison
equal deleted inserted replaced
5878:1b57d8f3eb97 5879:94a7669677ae
10 Introduction 10 Introduction
11 ------------ 11 ------------
12 12
13 After the last 1.6.0 Release, a REST-API developed in 2015 during a 13 After the last 1.6.0 Release, a REST-API developed in 2015 during a
14 Google Summer of Code (GSOC) by Chau Nguyen, supervised by Ezio 14 Google Summer of Code (GSOC) by Chau Nguyen, supervised by Ezio
15 Melotti was integrated. The code was updated by John Rouillard and 15 Melotti was integrated. The code was updated by Ralf Schlatterbeck
16 Ralf Schlatterbeck to fix some shortcomings and provide the necessary 16 and John Rouillard to fix some shortcomings and provide the necessary
17 functions for a single page web application, e.g. etag support, 17 functions for a single page web application, e.g. etag support,
18 pagination, field embedding among others. 18 pagination, field embedding among others.
19 19
20 Enabling the REST API 20 Enabling the REST API
21 --------------------- 21 ---------------------
22 22
23 The REST API can be disabled in the ``[web]`` section of ``config.ini`` 23 The REST API can be disabled in the ``[web]`` section of ``config.ini``
24 via the variable ``enable_rest`` which is ``yes`` by default. 24 via the variable ``enable_rest`` which is ``yes`` by default.
25
26 Users have to be authorized to use the rest api. The user must have
27 "Rest Access" permission. To add this to the "User" role change
28 schema.py to add::
29
30 db.security.addPermissionToRole('User', 'Rest Access')
31
32 This is usually included near where other permissions like "Web Access"
33 or "Email Access" are assigned.
25 34
26 The REST api is reached via the ``/rest/`` endpoint of the tracker 35 The REST api is reached via the ``/rest/`` endpoint of the tracker
27 URL. Partial URLs paths below (not starting with https) will have 36 URL. Partial URLs paths below (not starting with https) will have
28 /rest removed for brevity. 37 /rest removed for brevity.
29 38
1384 db.security.addPermissionToRole("User:timelog", perm) 1393 db.security.addPermissionToRole("User:timelog", perm)
1385 perm = db.security.addPermission(name='Edit', klass='issue', 1394 perm = db.security.addPermission(name='Edit', klass='issue',
1386 properties=('id', 'times'), 1395 properties=('id', 'times'),
1387 description="Allow editing timelog for issue", props_only=False) 1396 description="Allow editing timelog for issue", props_only=False)
1388 db.security.addPermissionToRole("User:timelog", perm) 1397 db.security.addPermissionToRole("User:timelog", perm)
1398 db.security.addPermissionToRole('User:timelog', 'Rest Access')
1389 1399
1390 Then role is named to work with the jwt issue rest call. Starting the role 1400 Then role is named to work with the jwt issue rest call. Starting the role
1391 name with ``User:`` allows the jwt issue code to create a token with 1401 name with ``User:`` allows the jwt issue code to create a token with
1392 this role if the user requesting the role has the User role. 1402 this role if the user requesting the role has the User role.
1393 1403
Roundup Issue Tracker: http://roundup-tracker.org/