Mercurial Repository: p/roundup/code: roundup/rest.py comparison

comparison roundup/rest.py @ 6086:c172bd18fa94

REST API: 403 on non-searchable properties issue2551051: Return a 403 on non-existing or non-searchable transitive properties when queried via REST-API (same behavior for sorting and searching).

author	Ralf Schlatterbeck <rsc@runtux.com>
date	Wed, 12 Feb 2020 12:35:33 +0100
parents	d56e290ecab7
children	f564e5152134 00a24243887c

comparison

equal deleted inserted replaced

-:7c8d3bd0deb6
+:c172bd18fa94
 # non-existing properties.
 if self.db.security.hasSearchPermission(
 uid, class_name, pn
 ):
 sort.append((ss, pn))
+else :
+raise (Unauthorised (
+'User does not have search permission on "%s.%s"'
+% (class_name, pn)))
 elif key.startswith("@"):
 # ignore any unsupported/previously handled control key
 # like @apiver
 pass
 else:  # serve the filter purpose
 # Note that hasSearchPermission already returns 0 for
 # non-existing properties.
 if not self.db.security.hasSearchPermission(
 uid, class_name, key
 ):
-continue
+raise (Unauthorised (
+'User does not have search permission on "%s.%s"'
+% (class_name, key)))
 linkcls = class_obj
 for p in key.split('.'):
 prop = linkcls.getprops(protected=True)[p]
 linkcls = getattr(prop, 'classname', None)

Mercurial > p > roundup > code

comparison roundup/rest.py @ 6086:c172bd18fa94