- REST:

- Added permissions to POST on im_hours

- REST:
- Added permissions to POST on im_hours
9d0dbf62 · Frank Bergmann · c7778229 · 9d0dbf62 · 9d0dbf62 · 9d0dbf62
Commit 9d0dbf62 authored Oct 03, 2016 by Frank Bergmann
Showing with 15 additions and 14 deletions

intranet-rest-get-procs.tcl tcl/intranet-rest-get-procs.tcl +4 -7

intranet-rest-post-procs.tcl tcl/intranet-rest-post-procs.tcl +8 -4

intranet-rest-util-procs.tcl tcl/intranet-rest-util-procs.tcl +3 -3

No files found.
--- a/tcl/intranet-rest-get-procs.tcl
+++ b/tcl/intranet-rest-get-procs.tcl
@@ -934,16 +934,13 @@ ad_proc -private im_rest_get_im_dynfield_attributes {
 		aa.object_type||'.'||aa.attribute_name as rest_object_name,
 		da.attribute_id as rest_oid,
 		da.*,
-		aa.*,
-		o.*
+		aa.*
 	from	im_dynfield_attributes da,
-		acs_attributes aa,
-		acs_objects o
-	where	da.acs_attribute_id = aa.attribute_id and
-		da.attribute_id = o.object_id
+		acs_attributes aa
+	where	da.acs_attribute_id = aa.attribute_id
 		$where_clause
 	order by
-		o.object_type, 
+		aa.object_type, 
 		aa.attribute_name
    "


--- a/tcl/intranet-rest-post-procs.tcl
+++ b/tcl/intranet-rest-post-procs.tcl
@@ -116,20 +116,24 @@ ad_proc -private im_rest_post_object {
    set content [im_rest_get_content]
    ns_log Notice "im_rest_post_object: content='$content'"

-    # Permissions for the object type
+    # Check the REST level permissions on the object type
    set rest_otype_id [util_memoize [list db_string otype_id "select object_type_id from im_rest_object_types where object_type = '$rest_otype'" -default 0]]
-    set read_p [im_object_permission -object_id $rest_otype_id -user_id $rest_user_id -privilege "read"]
-    if {!$read_p} {
-	im_rest_error -format $format -http_status 403 -message "User #$rest_user_id has no read permission on object #$rest_otype_id (im_hour_interval object type)"
+    set write_p [im_object_permission -object_id $rest_otype_id -user_id $rest_user_id -privilege "write"]
+    if {!$write_p} {
+	set msg "User #$rest_user_id has no write permission in general on object type '$rest_otype' - please check your REST permissions"
+	im_rest_error -format $format -http_status 403 -message $msg
 	return
    }

    # Check if there is an object type specific permission checker
    set write_p 0
    if {0 != [llength [info commands ${rest_otype}_permissions]]} {
+	ns_log Notice "im_rest_post_object: found permission proc ${rest_otype}_permissions - evaluating permissions"
 	catch {
 	    eval "${rest_otype}_permissions $rest_user_id $rest_oid view_p read_p write_p admin_p"
 	}
+    } else {
+	ns_log Notice "im_rest_post_object: Did not find permission proc ${rest_otype}_permissions - POST permissions denied"
    }
    if {!$write_p} {
 	im_rest_error -format $format -http_status 403 -message "User #$rest_user_id has no write permission on object #$rest_oid"

--- a/tcl/intranet-rest-util-procs.tcl
+++ b/tcl/intranet-rest-util-procs.tcl
@@ -632,8 +632,7 @@ ad_proc -public im_rest_error {


 ad_proc -public im_rest_get_content {} {
-    There's no [ns_conn content] so this is a hack to get the content of the
-    REST request. 
+    There's no [ns_conn content] so this is a hack to get the content of the REST request. 
    @return string - the request
    @author Dave Bauer
 } {
@@ -656,7 +655,8 @@ ad_proc -public im_rest_get_content {} {
        append text [read $fp]
    }
    close $fp
-    ns_unlink $filename
+    file delete $filename
+    # ns_unlink $filename     #; deprecated
    return $text
 }