Mercurial > p > roundup > code

diff roundup/rest.py @ 5702:61874fd78ced

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix OPTIONS responses: Remove all HEAD methods as they return errors. Do not advertise writable method for class/id/properties path if property is read only (i.e. protected prop). Collections do not have PUT, PATCH, DELETE (delete is accepted but always returns 400 code).
author John Rouillard <rouilj@ieee.org>
date Wed, 10 Apr 2019 17:56:08 -0400
parents fabb12ba9466
children 457fc482e6b1
line wrap: on
line diff
--- a/roundup/rest.py	Wed Apr 10 17:46:51 2019 -0400
+++ b/roundup/rest.py	Wed Apr 10 17:56:08 2019 -0400
@@ -1305,6 +1305,10 @@
         """
         if class_name not in self.db.classes:
             raise NotFound('Class %s not found' % class_name)
+        self.client.setHeader(
+            "Allow",
+            "OPTIONS, GET, POST"
+        )
         return 204, ""
 
     @Routing.route("/data/<:class_name>/<:item_id>", 'OPTIONS')
@@ -1322,6 +1326,10 @@
             "Accept-Patch",
             "application/x-www-form-urlencoded, multipart/form-data"
         )
+        self.client.setHeader(
+            "Allow",
+            "OPTIONS, GET, PUT, DELETE, PATCH"
+        )
         return 204, ""
 
     @Routing.route("/data/<:class_name>/<:item_id>/<:attr_name>", 'OPTIONS')
@@ -1335,10 +1343,25 @@
         """
         if class_name not in self.db.classes:
             raise NotFound('Class %s not found' % class_name)
-        self.client.setHeader(
-            "Accept-Patch",
-            "application/x-www-form-urlencoded, multipart/form-data"
-        )
+        class_obj = self.db.getclass(class_name)
+        if attr_name in class_obj.getprops(protected=False):
+            self.client.setHeader(
+                "Accept-Patch",
+                "application/x-www-form-urlencoded, multipart/form-data"
+            )
+            self.client.setHeader(
+                "Allow",
+                "OPTIONS, GET, PUT, DELETE, PATCH"
+            )
+        elif attr_name in class_obj.getprops(protected=True):
+            # It must match a protected prop. These can't be written.
+            self.client.setHeader(
+                "Allow",
+                "OPTIONS, GET"
+            )
+        else:
+            raise NotFound('Attribute %s not valid for Class %s' %(
+                attr_name,class_name))
         return 204, ""
 
     @Routing.route("/")
@@ -1504,7 +1527,7 @@
         )
         self.client.setHeader(
             "Allow",
-            "HEAD, OPTIONS, GET, POST, PUT, DELETE, PATCH"
+            "OPTIONS, GET, POST, PUT, DELETE, PATCH"
         )
         self.client.setHeader(
             "Access-Control-Allow-Methods",
Roundup Issue Tracker: http://roundup-tracker.org/