Mercurial Repository: p/roundup/code: roundup/rest.py comparison

comparison roundup/rest.py @ 5680:f77209ddd579

Refactored REST code that formats an item for display. A GET on /class_name or /class_name/item_id use the same back end code. So both now support use of @fields (or @attrs) as a comma (or colon) separated list of property names to display. @verbose is respected for all data for /class_name. This also obscures passwords so they don't leak even in encrypted form.

author	John Rouillard <rouilj@ieee.org>
date	Fri, 29 Mar 2019 23:57:13 -0400
parents	df9eb574b717
children	6457fd696a43

comparison

equal deleted inserted replaced

-:df9eb574b717
+:f77209ddd579
 item_id):
 raise PreconditionFailed(
 "If-Match is missing or does not match."
 " Retrieve asset and retry modification if valid.")
-@Routing.route("/data/<:class_name>", 'GET')
+def format_item(self, node, item_id, props=None, verbose=1):
-@_data_decorator
+''' display class obj as requested by verbose and
-def get_collection(self, class_name, input):
+props.
-"""GET resource from class URI.
+'''
-This function returns only items have View permission
-class_name should be valid already
-Args:
-class_name (string): class name of the resource (Ex: issue, msg)
-input (list): the submitted form of the user
-Returns:
-int: http status code 200 (OK)
-list: list of reference item in the class
-id: id of the object
-link: path to the object
-"""
-if class_name not in self.db.classes:
-raise NotFound('Class %s not found' % class_name)
 uid = self.db.getuid()
+class_name = node.cl.classname
-if not self.db.security.hasPermission(
-'View', uid, class_name
-):
-raise Unauthorised('Permission to view %s denied' % class_name)
-class_obj = self.db.getclass(class_name)
-class_path = '%s/%s/' % (self.data_path, class_name)
-# Handle filtering and pagination
-filter_props = {}
-page = {
-'size': None,
-'index': 1   # setting just size starts at page 1
-}
-verbose = 1
-for form_field in input.value:
-key = form_field.name
-value = form_field.value
-if key.startswith("@page_"):  # serve the paging purpose
-key = key[6:]
-value = int(value)
-page[key] = value
-elif key == "@verbose":
-verbose = int (value)
-else: # serve the filter purpose
-prop = class_obj.getprops()[key]
-# We drop properties without search permission silently
-# This reflects the current behavior of other roundup
-# interfaces
-if not self.db.security.hasSearchPermission(
-uid, class_name, key
-):
-continue
-if isinstance (prop, (hyperdb.Link, hyperdb.Multilink)):
-vals = []
-linkcls = self.db.getclass (prop.classname)
-for p in value.split(","):
-if prop.try_id_parsing and p.isdigit():
-vals.append(p)
-else:
-vals.append(linkcls.lookup(p))
-filter_props[key] = vals
-else:
-filter_props[key] = value
-if not filter_props:
-obj_list = class_obj.list()
-else:
-obj_list = class_obj.filter(None, filter_props)
-# extract result from data
-result={}
-result['collection'] = [
-{'id': item_id, 'link': class_path + item_id}
-for item_id in obj_list
-if self.db.security.hasPermission(
-'View', uid, class_name, itemid=item_id
-)
-]
-# add verbose elements. First identifying label.
-if verbose > 1:
-label = class_obj.labelprop()
-for obj in result['collection']:
-id = obj['id']
-if self.db.security.hasPermission(
-'View', uid, class_name, property=label,
-itemid=id
-):
-obj[label] = class_obj.get(id, label)
-result_len = len(result['collection'])
-# pagination - page_index from 1...N
-if page['size'] is not None:
-page_start = max((page['index']-1) * page['size'], 0)
-page_end = min(page_start + page['size'], result_len)
-result['collection'] = result['collection'][page_start:page_end]
-result['@links'] = {}
-for rel in ('next', 'prev', 'self'):
-if rel == 'next':
-# if current index includes all data, continue
-if page['index']*page['size'] > result_len: continue
-index=page['index']+1
-if rel == 'prev':
-if page['index'] <= 1: continue
-index=page['index']-1
-if rel == 'self': index=page['index']
-result['@links'][rel] = []
-result['@links'][rel].append({
-'rel': rel,
-'uri': "%s/%s?@page_index=%s&"%(self.data_path,
-class_name,index) \
-+ '&'.join([ "%s=%s"%(field.name,field.value) \
-for field in input.value \
-if field.name != "@page_index"]) })
-result['@total_size'] = result_len
-self.client.setHeader("X-Count-Total", str(result_len))
-return 200, result
-@Routing.route("/data/<:class_name>/<:item_id>", 'GET')
-@_data_decorator
-def get_element(self, class_name, item_id, input):
-"""GET resource from object URI.
-This function returns only properties have View permission
-class_name and item_id should be valid already
-Args:
-class_name (string): class name of the resource (Ex: issue, msg)
-item_id (string): id of the resource (Ex: 12, 15)
-or (if the class has a key property) this can also be
-the key name, e.g. class_name = status, item_id = 'open'
-input (list): the submitted form of the user
-Returns:
-int: http status code 200 (OK)
-dict: a dictionary represents the object
-id: id of the object
-type: class name of the object
-link: link to the object
-attributes: a dictionary represent the attributes of the object
-"""
-if class_name not in self.db.classes:
-raise NotFound('Class %s not found' % class_name)
-class_obj = self.db.getclass(class_name)
-uid = self.db.getuid()
-# If it's not numeric it is a key
-if item_id.isdigit():
-itemid = item_id
-else:
-keyprop = class_obj.getkey()
-try:
-k, v = item_id.split('=', 1)
-if k != keyprop:
-raise UsageError ("Not key property")
-except ValueError:
-v = item_id
-pass
-if not self.db.security.hasPermission(
-'View', uid, class_name, itemid=item_id, property=keyprop
-):
-raise Unauthorised(
-'Permission to view %s%s.%s denied'
-% (class_name, item_id, keyprop)
-)
-itemid = class_obj.lookup(v)
-if not self.db.security.hasPermission(
-'View', uid, class_name, itemid=itemid
-):
-raise Unauthorised(
-'Permission to view %s%s denied' % (class_name, itemid)
-)
-node = class_obj.getnode(itemid)
-etag = calculate_etag(node, class_name, itemid)
-props = None
-protected=False
-verbose=1
-for form_field in input.value:
-key = form_field.name
-value = form_field.value
-if key == "@fields":
-props = value.split(",")
-if key == "@protected":
-# allow client to request read only
-# properties like creator, activity etc.
-protected = value.lower() == "true"
-if key == "@verbose":
-verbose = int (value)
 result = {}
-if props is None:
-props = class_obj.getprops(protected=protected)
 try:
+# pn = propname
 for pn in sorted(props):
 prop = props[pn]
 if not self.db.security.hasPermission(
-'View', uid, class_name, pn, itemid
+'View', uid, class_name, pn, item_id
 ):
 continue
 v = getattr(node, pn)
 if isinstance (prop, (hyperdb.Link, hyperdb.Multilink)):
 linkcls = self.db.getclass (prop.classname)
 u = self.db.config.TRACKER_WEB
 p = u + '%s%s/' % (class_name, node.id)
 result[pn] = dict(link = p)
 else:
 result[pn] = v
+elif isinstance(prop, hyperdb.Password):
+if v != None: # locked users like anonymous have None
+result[pn] = "[password hidden scheme %s]"%v.scheme
+else:
+# Don't divulge it's a locked account. Choose most
+# secure as default.
+result[pn] = "[password hidden scheme PBKDF2]"
 else:
 result[pn] = v
 except KeyError as msg:
 raise UsageError("%s field not valid" % msg)
+return result
+@Routing.route("/data/<:class_name>", 'GET')
+@_data_decorator
+def get_collection(self, class_name, input):
+"""GET resource from class URI.
+This function returns only items have View permission
+class_name should be valid already
+Args:
+class_name (string): class name of the resource (Ex: issue, msg)
+input (list): the submitted form of the user
+Returns:
+int: http status code 200 (OK)
+list: list of reference item in the class
+id: id of the object
+link: path to the object
+"""
+if class_name not in self.db.classes:
+raise NotFound('Class %s not found' % class_name)
+uid = self.db.getuid()
+if not self.db.security.hasPermission(
+'View', uid, class_name
+):
+raise Unauthorised('Permission to view %s denied' % class_name)
+class_obj = self.db.getclass(class_name)
+class_path = '%s/%s/' % (self.data_path, class_name)
+# Handle filtering and pagination
+filter_props = {}
+page = {
+'size': None,
+'index': 1   # setting just size starts at page 1
+}
+verbose = 1
+display_props = {}
+for form_field in input.value:
+key = form_field.name
+value = form_field.value
+if key.startswith("@page_"):  # serve the paging purpose
+key = key[6:]
+value = int(value)
+page[key] = value
+elif key == "@verbose":
+verbose = int (value)
+elif key == "@fields" or key == "@attrs":
+f = value.split(",")
+if len(f) == 1:
+f=value.split(",")
+for i in f:
+display_props[i] = class_obj.properties[i]
+else: # serve the filter purpose
+prop = class_obj.getprops()[key]
+# We drop properties without search permission silently
+# This reflects the current behavior of other roundup
+# interfaces
+if not self.db.security.hasSearchPermission(
+uid, class_name, key
+):
+continue
+if isinstance (prop, (hyperdb.Link, hyperdb.Multilink)):
+vals = []
+linkcls = self.db.getclass (prop.classname)
+for p in value.split(","):
+if prop.try_id_parsing and p.isdigit():
+vals.append(p)
+else:
+vals.append(linkcls.lookup(p))
+filter_props[key] = vals
+else:
+filter_props[key] = value
+if not filter_props:
+obj_list = class_obj.list()
+else:
+obj_list = class_obj.filter(None, filter_props)
+# Sort list as specified by sortorder
+# This is more useful for things where there is an
+# explicit order. E.G. status has an order that is
+# roughly the progression of the issue through
+# the states so open is before closed.
+obj_list.sort()
+# add verbose elements. 2 and above get identifying label.
+if verbose > 1:
+lp = class_obj.labelprop()
+display_props[lp] = class_obj.properties[lp]
+# extract result from data
+result={}
+result['collection']=[]
+for item_id in obj_list:
+if self.db.security.hasPermission(
+'View', uid, class_name, itemid=item_id):
+r = {'id': item_id, 'link': class_path + item_id}
+if display_props:
+r.update(self.format_item(class_obj.getnode(item_id),
+item_id,
+props=display_props,
+verbose=verbose))
+result['collection'].append(r)
+result_len = len(result['collection'])
+# pagination - page_index from 1...N
+if page['size'] is not None:
+page_start = max((page['index']-1) * page['size'], 0)
+page_end = min(page_start + page['size'], result_len)
+result['collection'] = result['collection'][page_start:page_end]
+result['@links'] = {}
+for rel in ('next', 'prev', 'self'):
+if rel == 'next':
+# if current index includes all data, continue
+if page['index']*page['size'] > result_len: continue
+index=page['index']+1
+if rel == 'prev':
+if page['index'] <= 1: continue
+index=page['index']-1
+if rel == 'self': index=page['index']
+result['@links'][rel] = []
+result['@links'][rel].append({
+'rel': rel,
+'uri': "%s/%s?@page_index=%s&"%(self.data_path,
+class_name,index) \
++ '&'.join([ "%s=%s"%(field.name,field.value) \
+for field in input.value \
+if field.name != "@page_index"]) })
+result['@total_size'] = result_len
+self.client.setHeader("X-Count-Total", str(result_len))
+return 200, result
+@Routing.route("/data/<:class_name>/<:item_id>", 'GET')
+@_data_decorator
+def get_element(self, class_name, item_id, input):
+"""GET resource from object URI.
+This function returns only properties have View permission
+class_name and item_id should be valid already
+Args:
+class_name (string): class name of the resource (Ex: issue, msg)
+item_id (string): id of the resource (Ex: 12, 15)
+or (if the class has a key property) this can also be
+the key name, e.g. class_name = status, item_id = 'open'
+input (list): the submitted form of the user
+Returns:
+int: http status code 200 (OK)
+dict: a dictionary represents the object
+id: id of the object
+type: class name of the object
+link: link to the object
+attributes: a dictionary represent the attributes of the object
+"""
+if class_name not in self.db.classes:
+raise NotFound('Class %s not found' % class_name)
+class_obj = self.db.getclass(class_name)
+uid = self.db.getuid()
+# If it's not numeric it is a key
+if item_id.isdigit():
+itemid = item_id
+else:
+keyprop = class_obj.getkey()
+try:
+k, v = item_id.split('=', 1)
+if k != keyprop:
+raise UsageError ("Not key property")
+except ValueError:
+v = item_id
+pass
+if not self.db.security.hasPermission(
+'View', uid, class_name, itemid=item_id, property=keyprop
+):
+raise Unauthorised(
+'Permission to view %s%s.%s denied'
+% (class_name, item_id, keyprop)
+)
+itemid = class_obj.lookup(v)
+if not self.db.security.hasPermission(
+'View', uid, class_name, itemid=itemid
+):
+raise Unauthorised(
+'Permission to view %s%s denied' % (class_name, itemid)
+)
+node = class_obj.getnode(itemid)
+etag = calculate_etag(node, class_name, itemid)
+props = None
+protected=False
+verbose=1
+for form_field in input.value:
+key = form_field.name
+value = form_field.value
+if key == "@fields" or key == "@attrs":
+if props is None:
+props = {}
+# support , or : separated elements
+f=value.split(",")
+if len(f) == 1:
+f=value.split(":")
+for i in f:
+props[i] = class_obj.properties[i]
+elif key == "@protected":
+# allow client to request read only
+# properties like creator, activity etc.
+# used only if no @fields/@attrs
+protected = value.lower() == "true"
+elif key == "@verbose":
+verbose = int (value)
+result = {}
+if props is None:
+props = class_obj.getprops(protected=protected)
+else:
+if verbose > 1:
+lp = class_obj.labelprop()
+props[lp] = class_obj.properties[lp]
 result = {
 'id': itemid,
 'type': class_name,
 'link': '%s/%s/%s' % (self.data_path, class_name, item_id),
-'attributes': dict(result),
+'attributes': self.format_item(node, itemid, props=props,
+verbose=verbose),
 '@etag': etag
 }
 self.client.setHeader("ETag", etag)
 return 200, result

Mercurial > p > roundup > code

comparison roundup/rest.py @ 5680:f77209ddd579