Mercurial Repository: p/roundup/code: roundup/rest.py comparison

comparison roundup/rest.py @ 5604:ed02a1e0aa5d REST-rebased

Fix actions Permission for retire in roundup/actions.py was with 'Edit' permission, not 'Retire' permission. Add a 'restore' action to roundup/actions.py. Both are now correctly used in rest.py and xmlrpc.py (the latter had some errors when printint error messages). Also reworked the rest implementation: Despite the warnings in the roundup API in hyperdb.py the DELETE http method would *destroy* and not *retire* an item. This has been fixed. We also do not allow retire of a complete class (although this was implemented) because this seems to dangerous and we see no use-case.

author	Ralf Schlatterbeck <rsc@runtux.com>
date	Wed, 30 Jan 2019 14:12:27 +0100
parents	c40d04915e23
children	aa4c271514ae

comparison

equal deleted inserted replaced

-:79da1ca2f94b
+:ed02a1e0aa5d
 def __init__(self, client, db):
 self.client = client
 self.db = db
 self.translator = client.translator
-self.actions = client.instance.actions.copy()
+# This used to be initialized from client.instance.actions which
-self.actions.update({'retire': actions.Retire})
+# would include too many actions that do not make sense in the
+# REST-API context, so for now we only permit the retire and
+# restore actions.
+self.actions = dict (retire = actions.Retire, restore = actions.Restore)
 protocol = 'http'
 host = self.client.env['HTTP_HOST']
 tracker = self.client.env['TRACKER_NAME']
 self.base_path = '%s://%s/%s/rest' % (protocol, host, tracker)
 return 200, result
 @Routing.route("/data/<:class_name>", 'DELETE')
 @_data_decorator
 def delete_collection(self, class_name, input):
-"""DELETE all objects in a class
+"""DELETE (retire) all objects in a class
+There is currently no use-case, so this is disabled and
+always returns Unauthorised.
 Args:
 class_name (string): class name of the resource (Ex: issue, msg)
 input (list): the submitted form of the user
 int: http status code 200 (OK)
 dict:
 status (string): 'ok'
 count (int): number of deleted objects
 """
+raise Unauthorised('Deletion of a whole class disabled')
 if class_name not in self.db.classes:
 raise NotFound('Class %s not found' % class_name)
 if not self.db.security.hasPermission(
-'Delete', self.db.getuid(), class_name
+'Retire', self.db.getuid(), class_name
 ):
 raise Unauthorised('Permission to delete %s denied' % class_name)
 class_obj = self.db.getclass(class_name)
 for item_id in class_obj.list():
 if not self.db.security.hasPermission(
-'Delete', self.db.getuid(), class_name, itemid=item_id
+'Retire', self.db.getuid(), class_name, itemid=item_id
 ):
 raise Unauthorised(
-'Permission to delete %s %s denied' % (class_name, item_id)
+'Permission to retire %s %s denied' % (class_name, item_id)
 )
 count = len(class_obj.list())
 for item_id in class_obj.list():
-self.db.destroynode(class_name, item_id)
+class_obj.retire (item_id)
 self.db.commit()
 result = {
 'status': 'ok',
 'count': count
 return 200, result
 @Routing.route("/data/<:class_name>/<:item_id>", 'DELETE')
 @_data_decorator
 def delete_element(self, class_name, item_id, input):
-"""DELETE an object in a class
+"""DELETE (retire) an object in a class
 Args:
 class_name (string): class name of the resource (Ex: issue, msg)
 item_id (string): id of the resource (Ex: 12, 15)
 input (list): the submitted form of the user
 dict:
 status (string): 'ok'
 """
 if class_name not in self.db.classes:
 raise NotFound('Class %s not found' % class_name)
+class_obj = self.db.classes [class_name]
 if not self.db.security.hasPermission(
-'Delete', self.db.getuid(), class_name, itemid=item_id
+'Retire', self.db.getuid(), class_name, itemid=item_id
 ):
 raise Unauthorised(
-'Permission to delete %s %s denied' % (class_name, item_id)
+'Permission to retire %s %s denied' % (class_name, item_id)
 )
-self.db.destroynode(class_name, item_id)
+class_obj.retire (item_id)
 self.db.commit()
 result = {
 'status': 'ok'
 }

Mercurial > p > roundup > code

comparison roundup/rest.py @ 5604:ed02a1e0aa5d REST-rebased