Mercurial > p > roundup > code

diff roundup/actions.py @ 5604:ed02a1e0aa5d REST-rebased

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix actions Permission for retire in roundup/actions.py was with 'Edit' permission, not 'Retire' permission. Add a 'restore' action to roundup/actions.py. Both are now correctly used in rest.py and xmlrpc.py (the latter had some errors when printint error messages). Also reworked the rest implementation: Despite the warnings in the roundup API in hyperdb.py the DELETE http method would *destroy* and not *retire* an item. This has been fixed. We also do not allow retire of a complete class (although this was implemented) because this seems to dangerous and we see no use-case.
author Ralf Schlatterbeck <rsc@runtux.com>
date Wed, 30 Jan 2019 14:12:27 +0100
parents a7541077cf12
children 48a1f919f894
line wrap: on
line diff
--- a/roundup/actions.py	Wed Jan 30 13:58:18 2019 +0100
+++ b/roundup/actions.py	Wed Jan 30 14:12:27 2019 +0100
@@ -2,6 +2,7 @@
 # Copyright (C) 2009 Stefan Seefeld
 # All rights reserved.
 # For license terms see the file COPYING.txt.
+# Actions used in REST and XMLRPC APIs
 #
 
 from roundup.exceptions import Unauthorised
@@ -40,7 +41,19 @@
     _ = gettext
 
 
-class Retire(Action):
+class PermCheck(Action):
+    def permission(self, designator):
+
+        classname, itemid = hyperdb.splitDesignator(designator)
+        perm = self.db.security.hasPermission
+
+        if not perm('Retire', self.db.getuid(), classname=classname
+                   , itemid=itemid):
+            raise Unauthorised(self._('You do not have permission to retire '
+                                      'or restore the %(classname)s class.')
+                                      %locals())
+
+class Retire(PermCheck):
 
     def handle(self, designator):
 
@@ -57,12 +70,13 @@
         self.db.commit()
 
 
-    def permission(self, designator):
+class Restore(PermCheck):
+
+    def handle(self, designator):
 
         classname, itemid = hyperdb.splitDesignator(designator)
 
-        if not self.db.security.hasPermission('Edit', self.db.getuid(),
-                                              classname=classname, itemid=itemid):
-            raise Unauthorised(self._('You do not have permission to '
-                                      'retire the %(classname)s class.')%classname)
-            
+        # do the restore
+        self.db.getclass(classname).restore(itemid)
+        self.db.commit()
+
Roundup Issue Tracker: http://roundup-tracker.org/