[Rt-commit] rt branch, 4.2/rest-search-refactor, updated. rt-4.0.1-238-ga68af35
? sunnavy
sunnavy at bestpractical.com
Fri Jun 24 01:09:45 EDT 2011
The branch, 4.2/rest-search-refactor has been updated
via a68af358fc1f8db93b6b414169647db24644fac9 (commit)
via c91aeea42fff29d241b8152927db31162c6b797e (commit)
via ab289b239ed11f475c3a09e337ebbbfb4435edcc (commit)
from 70014eab50519325698b0043654fa0ad20da0b67 (commit)
Summary of changes:
share/html/REST/1.0/Forms/group/default | 9 ++-------
share/html/REST/1.0/Forms/queue/default | 12 ++++--------
share/html/REST/1.0/Forms/user/default | 24 ++++++++----------------
share/html/REST/1.0/search/dhandler | 21 +++++++++++++++++++++
4 files changed, 35 insertions(+), 31 deletions(-)
- Log -----------------------------------------------------------------
commit ab289b239ed11f475c3a09e337ebbbfb4435edcc
Author: sunnavy <sunnavy at bestpractical.com>
Date: Fri Jun 24 12:13:36 2011 +0800
clean some replicated code
diff --git a/share/html/REST/1.0/Forms/group/default b/share/html/REST/1.0/Forms/group/default
index 63fb119..29c6d18 100644
--- a/share/html/REST/1.0/Forms/group/default
+++ b/share/html/REST/1.0/Forms/group/default
@@ -59,14 +59,9 @@ my ($c, $o, $k, $e) = ("", [], {}, 0);
my %data = %$changes;
my $group = RT::Group->new($session{CurrentUser});
-my @fields;
+my @fields = qw(Name Description);
if ( $fields && %$fields ) {
- @fields =
- grep { exists $fields->{ lc $_ } }
- qw(Name Description);
-}
-else {
- @fields = qw(Name Description);
+ @fields = grep { exists $fields->{ lc $_ } } @fields;
}
my %fields = map { lc $_ => $_ } @fields;
diff --git a/share/html/REST/1.0/Forms/queue/default b/share/html/REST/1.0/Forms/queue/default
index c651687..487b972 100755
--- a/share/html/REST/1.0/Forms/queue/default
+++ b/share/html/REST/1.0/Forms/queue/default
@@ -59,16 +59,12 @@ my ($c, $o, $k, $e) = ("", [], {}, 0);
my %data = %$changes;
my $queue = RT::Queue->new($session{CurrentUser});
-my @fields;
+my @fields =
+ qw(Name Description CorrespondAddress CommentAddress InitialPriority FinalPriority DefaultDueIn);
if ( $fields && %$fields ) {
- @fields =
- grep { exists $fields->{ lc $_ } }
- qw(Name Description CorrespondAddress CommentAddress InitialPriority FinalPriority DefaultDueIn);
-}
-else {
- @fields = qw(Name Description CorrespondAddress CommentAddress
- InitialPriority FinalPriority DefaultDueIn);
+ @fields = grep { exists $fields->{ lc $_ } } @fields;
}
+
my %fields = map { lc $_ => $_ } @fields;
if ($id ne 'new') {
diff --git a/share/html/REST/1.0/Forms/user/default b/share/html/REST/1.0/Forms/user/default
index 2f5e6ab..d19c3c5 100755
--- a/share/html/REST/1.0/Forms/user/default
+++ b/share/html/REST/1.0/Forms/user/default
@@ -59,23 +59,15 @@ my ($c, $o, $k, $e) = ("", [], {}, 0);
my %data = %$changes;
my $user = RT::User->new($session{CurrentUser});
-my @fields;
+my @fields =
+ qw(Name EmailAddress RealName NickName Gecos Organization Address1
+ Address2 City State Zip Country HomePhone WorkPhone MobilePhone PagerPhone
+ FreeformContactInfo Comments Signature Lang EmailEncoding
+ WebEncoding ExternalContactInfoId ContactInfoSystem
+ ExternalAuthId AuthSystem Privileged Disabled);
+
if ( $fields && %$fields ) {
- @fields =
- grep { exists $fields->{ lc $_ } }
- qw(Name EmailAddress RealName NickName Gecos Organization Address1
- Address2 City State Zip Country HomePhone WorkPhone MobilePhone PagerPhone
- FreeformContactInfo Comments Signature Lang EmailEncoding
- WebEncoding ExternalContactInfoId ContactInfoSystem
- ExternalAuthId AuthSystem Privileged Disabled);
-}
-else {
- @fields =
- qw(Name EmailAddress RealName NickName Gecos Organization Address1
- Address2 City State Zip Country HomePhone WorkPhone MobilePhone PagerPhone
- FreeformContactInfo Comments Signature Lang EmailEncoding
- WebEncoding ExternalContactInfoId ContactInfoSystem
- ExternalAuthId AuthSystem Privileged Disabled);
+ @fields = grep { exists $fields->{ lc $_ } } @fields;
}
my %fields = map { lc $_ => $_ } @fields;
commit c91aeea42fff29d241b8152927db31162c6b797e
Author: sunnavy <sunnavy at bestpractical.com>
Date: Fri Jun 24 12:30:02 2011 +0800
shouldn't allow user to search password field
diff --git a/share/html/REST/1.0/search/dhandler b/share/html/REST/1.0/search/dhandler
index 7b128e7..80c901b 100755
--- a/share/html/REST/1.0/search/dhandler
+++ b/share/html/REST/1.0/search/dhandler
@@ -117,6 +117,12 @@ if ( $type =~ /^(ticket|queue|user|group)$/i ) {
}
if ( $field && $op && defined $value ) {
+ if ( $type eq 'user' && $field =~ /password/i ) {
+ $status = "400 Bad Request";
+ $output = "Invalid field specification: $field";
+ goto OUTPUT;
+ }
+
$objects->Limit(
FIELD => $field,
OPERATOR => uc $op,
commit a68af358fc1f8db93b6b414169647db24644fac9
Author: sunnavy <sunnavy at bestpractical.com>
Date: Fri Jun 24 12:44:04 2011 +0800
allow restful user search only if current user has AdminUsers right
user data is sensible and shouldn't be seen easily.
besides, we don't have SeeUser right either.
diff --git a/share/html/REST/1.0/search/dhandler b/share/html/REST/1.0/search/dhandler
index 80c901b..e183d14 100755
--- a/share/html/REST/1.0/search/dhandler
+++ b/share/html/REST/1.0/search/dhandler
@@ -61,6 +61,21 @@ if ( $type =~ /^(ticket|queue|user|group)$/i ) {
$status = "200 Ok";
$output = '';
my $type = lc $1;
+
+ if (
+ $type eq 'user'
+ && !$session{CurrentUser}->HasRight(
+ Object => $RT::System,
+ Right => 'AdminUsers',
+ )
+ )
+ {
+
+ $status = "403 Forbidden";
+ $output = "Permission denied";
+ goto OUTPUT;
+ }
+
my $class = 'RT::' . ucfirst $type . 's';
my $objects = $class->new( $session{CurrentUser} );
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list