Mercurial > p > roundup > code
comparison roundup/rest.py @ 8126:f7bd22bdef9d permission-performance
Move permission check code to hyperdb
Now the hyperdb has a method filter_with_permissions that performs the
permission checks before (for filtering on sort/group/filterspec
arguments) and after a call to hyperdb.filter.
This also fixes possible problems on the unfiltered
sort/group/filterspec arguments in roundup/rest.py and
roundup/cgi/templating.py
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Mon, 21 Oct 2024 18:12:03 +0200 |
| parents | 8e310a7b5e09 |
| children | 2967f37e73e4 |
comparison
equal
deleted
inserted
replaced
| 8125:b358da7c89e5 | 8126:f7bd22bdef9d |
|---|---|
| 951 "max_size": self.max_response_row_size, | 951 "max_size": self.max_response_row_size, |
| 952 }) | 952 }) |
| 953 kw['limit'] = self.max_response_row_size | 953 kw['limit'] = self.max_response_row_size |
| 954 if page['index'] is not None and page['index'] > 1: | 954 if page['index'] is not None and page['index'] > 1: |
| 955 kw['offset'] = (page['index'] - 1) * page['size'] | 955 kw['offset'] = (page['index'] - 1) * page['size'] |
| 956 obj_list = class_obj.filter(None, *l, **kw) | 956 obj_list = class_obj.filter_with_permissions(None, *l, **kw) |
| 957 | 957 |
| 958 # Have we hit the max number of returned rows? | 958 # Have we hit the max number of returned rows? |
| 959 # If so there may be more data that the client | 959 # If so there may be more data that the client |
| 960 # has to explicitly page through using offset/@page_index. | 960 # has to explicitly page through using offset/@page_index. |
| 961 overflow = len(obj_list) == self.max_response_row_size | 961 overflow = len(obj_list) == self.max_response_row_size |
| 971 # extract result from data | 971 # extract result from data |
| 972 result = {} | 972 result = {} |
| 973 result['collection'] = [] | 973 result['collection'] = [] |
| 974 for item_id in obj_list: | 974 for item_id in obj_list: |
| 975 r = {} | 975 r = {} |
| 976 if self.db.security.hasPermission( | 976 # No need to check permission on id here, as we have only |
| 977 'View', uid, class_name, itemid=item_id, property='id', | 977 # security-checked results |
| 978 ): | 978 r = {'id': item_id, 'link': class_path + item_id} |
| 979 r = {'id': item_id, 'link': class_path + item_id} | |
| 980 if display_props: | 979 if display_props: |
| 981 # format_item does the permission checks | 980 # format_item does the permission checks |
| 982 r.update(self.format_item(class_obj.getnode(item_id), | 981 r.update(self.format_item(class_obj.getnode(item_id), |
| 983 item_id, props=display_props, verbose=verbose)) | 982 item_id, props=display_props, verbose=verbose)) |
| 984 if r: | 983 if r: |