Mercurial > p > roundup > code
comparison roundup/actions.py @ 5604:ed02a1e0aa5d REST-rebased
Fix actions
Permission for retire in roundup/actions.py was with 'Edit' permission,
not 'Retire' permission. Add a 'restore' action to roundup/actions.py.
Both are now correctly used in rest.py and xmlrpc.py (the latter had
some errors when printint error messages).
Also reworked the rest implementation: Despite the warnings in the
roundup API in hyperdb.py the DELETE http method would *destroy* and not
*retire* an item. This has been fixed. We also do not allow retire of a
complete class (although this was implemented) because this seems to
dangerous and we see no use-case.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Wed, 30 Jan 2019 14:12:27 +0100 |
| parents | a7541077cf12 |
| children | 48a1f919f894 |
comparison
equal
deleted
inserted
replaced
| 5603:79da1ca2f94b | 5604:ed02a1e0aa5d |
|---|---|
| 1 # | 1 # |
| 2 # Copyright (C) 2009 Stefan Seefeld | 2 # Copyright (C) 2009 Stefan Seefeld |
| 3 # All rights reserved. | 3 # All rights reserved. |
| 4 # For license terms see the file COPYING.txt. | 4 # For license terms see the file COPYING.txt. |
| 5 # Actions used in REST and XMLRPC APIs | |
| 5 # | 6 # |
| 6 | 7 |
| 7 from roundup.exceptions import Unauthorised | 8 from roundup.exceptions import Unauthorised |
| 8 from roundup import hyperdb | 9 from roundup import hyperdb |
| 9 from roundup.i18n import _ | 10 from roundup.i18n import _ |
| 38 | 39 |
| 39 | 40 |
| 40 _ = gettext | 41 _ = gettext |
| 41 | 42 |
| 42 | 43 |
| 43 class Retire(Action): | 44 class PermCheck(Action): |
| 45 def permission(self, designator): | |
| 46 | |
| 47 classname, itemid = hyperdb.splitDesignator(designator) | |
| 48 perm = self.db.security.hasPermission | |
| 49 | |
| 50 if not perm('Retire', self.db.getuid(), classname=classname | |
| 51 , itemid=itemid): | |
| 52 raise Unauthorised(self._('You do not have permission to retire ' | |
| 53 'or restore the %(classname)s class.') | |
| 54 %locals()) | |
| 55 | |
| 56 class Retire(PermCheck): | |
| 44 | 57 |
| 45 def handle(self, designator): | 58 def handle(self, designator): |
| 46 | 59 |
| 47 classname, itemid = hyperdb.splitDesignator(designator) | 60 classname, itemid = hyperdb.splitDesignator(designator) |
| 48 | 61 |
| 55 # do the retire | 68 # do the retire |
| 56 self.db.getclass(classname).retire(itemid) | 69 self.db.getclass(classname).retire(itemid) |
| 57 self.db.commit() | 70 self.db.commit() |
| 58 | 71 |
| 59 | 72 |
| 60 def permission(self, designator): | 73 class Restore(PermCheck): |
| 74 | |
| 75 def handle(self, designator): | |
| 61 | 76 |
| 62 classname, itemid = hyperdb.splitDesignator(designator) | 77 classname, itemid = hyperdb.splitDesignator(designator) |
| 63 | 78 |
| 64 if not self.db.security.hasPermission('Edit', self.db.getuid(), | 79 # do the restore |
| 65 classname=classname, itemid=itemid): | 80 self.db.getclass(classname).restore(itemid) |
| 66 raise Unauthorised(self._('You do not have permission to ' | 81 self.db.commit() |
| 67 'retire the %(classname)s class.')%classname) | 82 |
| 68 |