[Rt-commit] rt branch, 4.2/rest-search-refactor, updated. rt-4.0.1-238-ga68af35

? sunnavy sunnavy at bestpractical.com
Fri Jun 24 01:09:45 EDT 2011


The branch, 4.2/rest-search-refactor has been updated
       via  a68af358fc1f8db93b6b414169647db24644fac9 (commit)
       via  c91aeea42fff29d241b8152927db31162c6b797e (commit)
       via  ab289b239ed11f475c3a09e337ebbbfb4435edcc (commit)
      from  70014eab50519325698b0043654fa0ad20da0b67 (commit)

Summary of changes:
 share/html/REST/1.0/Forms/group/default |    9 ++-------
 share/html/REST/1.0/Forms/queue/default |   12 ++++--------
 share/html/REST/1.0/Forms/user/default  |   24 ++++++++----------------
 share/html/REST/1.0/search/dhandler     |   21 +++++++++++++++++++++
 4 files changed, 35 insertions(+), 31 deletions(-)

- Log -----------------------------------------------------------------
commit ab289b239ed11f475c3a09e337ebbbfb4435edcc
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Fri Jun 24 12:13:36 2011 +0800

    clean some replicated code

diff --git a/share/html/REST/1.0/Forms/group/default b/share/html/REST/1.0/Forms/group/default
index 63fb119..29c6d18 100644
--- a/share/html/REST/1.0/Forms/group/default
+++ b/share/html/REST/1.0/Forms/group/default
@@ -59,14 +59,9 @@ my ($c, $o, $k, $e) = ("", [], {}, 0);
 my %data = %$changes;
 my $group = RT::Group->new($session{CurrentUser});
 
-my @fields;
+my @fields = qw(Name Description);
 if ( $fields && %$fields ) {
-    @fields =
-      grep { exists $fields->{ lc $_ } }
-      qw(Name Description);
-}
-else {
-    @fields = qw(Name Description);
+    @fields = grep { exists $fields->{ lc $_ } } @fields;
 }
 
 my %fields = map { lc $_ => $_ } @fields;
diff --git a/share/html/REST/1.0/Forms/queue/default b/share/html/REST/1.0/Forms/queue/default
index c651687..487b972 100755
--- a/share/html/REST/1.0/Forms/queue/default
+++ b/share/html/REST/1.0/Forms/queue/default
@@ -59,16 +59,12 @@ my ($c, $o, $k, $e) = ("", [], {}, 0);
 my %data = %$changes;
 my $queue = RT::Queue->new($session{CurrentUser});
 
-my @fields;
+my @fields =
+  qw(Name Description CorrespondAddress CommentAddress InitialPriority FinalPriority DefaultDueIn);
 if ( $fields && %$fields ) {
-    @fields =
-      grep { exists $fields->{ lc $_ } }
-      qw(Name Description CorrespondAddress CommentAddress InitialPriority FinalPriority DefaultDueIn);
-}
-else {
-    @fields = qw(Name Description CorrespondAddress CommentAddress
-                InitialPriority FinalPriority DefaultDueIn);
+    @fields = grep { exists $fields->{ lc $_ } } @fields;
 }
+
 my %fields = map { lc $_ => $_ } @fields;
 
 if ($id ne 'new') {
diff --git a/share/html/REST/1.0/Forms/user/default b/share/html/REST/1.0/Forms/user/default
index 2f5e6ab..d19c3c5 100755
--- a/share/html/REST/1.0/Forms/user/default
+++ b/share/html/REST/1.0/Forms/user/default
@@ -59,23 +59,15 @@ my ($c, $o, $k, $e) = ("", [], {}, 0);
 my %data = %$changes;
 my $user = RT::User->new($session{CurrentUser});
 
-my @fields;
+my @fields =
+  qw(Name EmailAddress RealName NickName Gecos Organization Address1
+  Address2 City State Zip Country HomePhone WorkPhone MobilePhone PagerPhone
+  FreeformContactInfo Comments Signature Lang EmailEncoding
+  WebEncoding ExternalContactInfoId ContactInfoSystem
+  ExternalAuthId AuthSystem Privileged Disabled);
+
 if ( $fields && %$fields ) {
-    @fields =
-      grep { exists $fields->{ lc $_ } }
-      qw(Name EmailAddress RealName NickName Gecos Organization Address1
-      Address2 City State Zip Country HomePhone WorkPhone MobilePhone PagerPhone
-      FreeformContactInfo Comments Signature Lang EmailEncoding
-      WebEncoding ExternalContactInfoId ContactInfoSystem
-      ExternalAuthId AuthSystem Privileged Disabled);
-}
-else {
-    @fields =
-      qw(Name EmailAddress RealName NickName Gecos Organization Address1
-      Address2 City State Zip Country HomePhone WorkPhone MobilePhone PagerPhone
-      FreeformContactInfo Comments Signature Lang EmailEncoding
-      WebEncoding ExternalContactInfoId ContactInfoSystem
-      ExternalAuthId AuthSystem Privileged Disabled);
+  @fields = grep { exists $fields->{ lc $_ } } @fields;
 }
 
 my %fields = map { lc $_ => $_ } @fields;

commit c91aeea42fff29d241b8152927db31162c6b797e
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Fri Jun 24 12:30:02 2011 +0800

    shouldn't allow user to search password field

diff --git a/share/html/REST/1.0/search/dhandler b/share/html/REST/1.0/search/dhandler
index 7b128e7..80c901b 100755
--- a/share/html/REST/1.0/search/dhandler
+++ b/share/html/REST/1.0/search/dhandler
@@ -117,6 +117,12 @@ if ( $type =~ /^(ticket|queue|user|group)$/i ) {
             }
 
             if ( $field && $op && defined $value ) {
+                if ( $type eq 'user' && $field =~ /password/i ) {
+                    $status = "400 Bad Request";
+                    $output = "Invalid field specification: $field";
+                    goto OUTPUT;
+                }
+
                 $objects->Limit(
                     FIELD    => $field,
                     OPERATOR => uc $op,

commit a68af358fc1f8db93b6b414169647db24644fac9
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Fri Jun 24 12:44:04 2011 +0800

    allow restful user search only if current user has AdminUsers right
    
    user data is sensible and shouldn't be seen easily.
    besides, we don't have SeeUser right either.

diff --git a/share/html/REST/1.0/search/dhandler b/share/html/REST/1.0/search/dhandler
index 80c901b..e183d14 100755
--- a/share/html/REST/1.0/search/dhandler
+++ b/share/html/REST/1.0/search/dhandler
@@ -61,6 +61,21 @@ if ( $type =~ /^(ticket|queue|user|group)$/i ) {
     $status = "200 Ok";
     $output = '';
     my $type = lc $1;
+
+    if (
+        $type eq 'user'
+        && !$session{CurrentUser}->HasRight(
+            Object => $RT::System,
+            Right  => 'AdminUsers',
+        )
+      )
+    {
+
+        $status = "403 Forbidden";
+        $output = "Permission denied";
+        goto OUTPUT;
+    }
+
     my $class = 'RT::' . ucfirst $type . 's';
     my $objects = $class->new( $session{CurrentUser} );
 

-----------------------------------------------------------------------


More information about the Rt-commit mailing list