Mercurial > p > roundup > code

diff roundup/rest.py @ 5679:df9eb574b717

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
REST: Bug-fixes Don't lowercase the path, otherwise url-parameters are lowercased, too. Fix re-used variable in new item lookup.
author Ralf Schlatterbeck <rsc@runtux.com>
date Thu, 28 Mar 2019 18:21:29 +0100
parents b8e8b1b3ec77
children f77209ddd579
line wrap: on
line diff
--- a/roundup/rest.py	Thu Mar 28 12:21:40 2019 +0100
+++ b/roundup/rest.py	Thu Mar 28 18:21:29 2019 +0100
@@ -284,8 +284,9 @@
 
     @classmethod
     def execute(cls, instance, path, method, input):
-        # format the input
-        path = path.strip('/').lower()
+        # format the input, note that we may not lowercase the path
+        # here, URL parameters are case-sensitive
+        path = path.strip('/')
         if path == 'rest':
             # allow handler to be called for /rest/
             path = 'rest/'
@@ -623,7 +624,7 @@
         uid = self.db.getuid()
         # If it's not numeric it is a key
         if item_id.isdigit():
-            id = item_id
+            itemid = item_id
         else:
             keyprop = class_obj.getkey()
             try:
@@ -640,16 +641,16 @@
                     'Permission to view %s%s.%s denied'
                     % (class_name, item_id, keyprop)
                 )
-            id = class_obj.lookup(v)
+            itemid = class_obj.lookup(v)
         if not self.db.security.hasPermission(
-            'View', uid, class_name, itemid=id
+            'View', uid, class_name, itemid=itemid
         ):
             raise Unauthorised(
-                'Permission to view %s%s denied' % (class_name, id)
+                'Permission to view %s%s denied' % (class_name, itemid)
             )
 
-        node = class_obj.getnode(id)
-        etag = calculate_etag(node, class_name, id)
+        node = class_obj.getnode(itemid)
+        etag = calculate_etag(node, class_name, itemid)
         props = None
         protected=False
         verbose=1
@@ -666,7 +667,6 @@
                 verbose = int (value)
 
         result = {}
-        uid = self.db.getuid()
         if props is None:
             props = class_obj.getprops(protected=protected)
 
@@ -674,7 +674,7 @@
             for pn in sorted(props):
                 prop = props[pn]
                 if not self.db.security.hasPermission(
-                    'View', uid, class_name, pn, id
+                    'View', uid, class_name, pn, itemid
                 ):
                     continue
                 v = getattr(node, pn)
@@ -713,7 +713,7 @@
         except KeyError as msg:
             raise UsageError("%s field not valid" % msg)
         result = {
-            'id': id,
+            'id': itemid,
             'type': class_name,
             'link': '%s/%s/%s' % (self.data_path, class_name, item_id),
             'attributes': dict(result),
Roundup Issue Tracker: http://roundup-tracker.org/