Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
I
intranet-rest
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
project-open
intranet-rest
Commits
ae334f21
Commit
ae334f21
authored
Jul 08, 2011
by
Frank Bergmann
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
- Core + REST:
Fixed and updated permission checking for users. Disadvantage: It's quite slow...
parent
ed17086c
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
16 additions
and
15 deletions
+16
-15
intranet-rest-procs.tcl
tcl/intranet-rest-procs.tcl
+16
-15
No files found.
tcl/intranet-rest-procs.tcl
View file @
ae334f21
...
...
@@ -790,7 +790,8 @@ ad_proc -private im_rest_get_object_type {
Handler for GET rest calls on a whole object type -
mapped to queries on the specified object type
}
{
ns_log Notice
"im_rest_get_object_type: format=
$format
, user_id=
$user
_id, rest_otype=
$rest
_otype, rest_oid=
$rest
_oid, query_hash=
$query
_hash_pairs"
set current_user_id
$user
_id
ns_log Notice
"im_rest_get_object_type: format=
$format
, user_id=
$current
_user_id, rest_otype=
$rest
_otype, rest_oid=
$rest
_oid, query_hash=
$query
_hash_pairs"
array set query_hash
$query
_hash_pairs
set rest_otype_id
[
util_memoize
[
list
db_string otype_id
"select object_type_id from im_rest_object_types where object_type = '
$rest
_otype'"
-default 0
]]
...
...
@@ -810,7 +811,7 @@ ad_proc -private im_rest_get_object_type {
# -------------------------------------------------------
# Check for generic permissions to read all objects of this type
set rest_otype_read_all_p
[
im_object_permission -object_id
$rest
_otype_id -user_id
$user
_id -privilege
"read"
]
set rest_otype_read_all_p
[
im_object_permission -object_id
$rest
_otype_id -user_id
$
current
_
user_id -privilege
"read"
]
# Deny completely access to the object type?
set rest_otype_read_none_p 0
...
...
@@ -819,17 +820,17 @@ ad_proc -private im_rest_get_object_type {
# There are
"view_xxx_all"
permissions allowing a user to see all objects:
switch
$rest
_otype
{
bt_bug
{
}
im_company
{
set rest_otype_read_all_p
[
im_permission
$user
_id
"view_companies_all"
]
}
im_cost
{
set rest_otype_read_all_p
[
im_permission
$user
_id
"view_finance"
]
}
im_conf_item
{
set rest_otype_read_all_p
[
im_permission
$user
_id
"view_conf_items_all"
]
}
im_invoices
{
set rest_otype_read_all_p
[
im_permission
$user
_id
"view_finance"
]
}
im_project
{
set rest_otype_read_all_p
[
im_permission
$user
_id
"view_projects_all"
]
}
im_user_absence
{
set rest_otype_read_all_p
[
im_permission
$user
_id
"view_absences_all"
]
}
im_office
{
set rest_otype_read_all_p
[
im_permission
$user
_id
"view_offices_all"
]
}
im_ticket
{
set rest_otype_read_all_p
[
im_permission
$user
_id
"view_tickets_all"
]
}
im_timesheet_task
{
set rest_otype_read_all_p
[
im_permission
$user
_id
"view_timesheet_tasks_all"
]
}
im_timesheet_invoices
{
set rest_otype_read_all_p
[
im_permission
$user
_id
"view_finance"
]
}
im_trans_invoices
{
set rest_otype_read_all_p
[
im_permission
$user
_id
"view_finance"
]
}
im_company
{
set rest_otype_read_all_p
[
im_permission
$
current
_
user_id
"view_companies_all"
]
}
im_cost
{
set rest_otype_read_all_p
[
im_permission
$
current
_
user_id
"view_finance"
]
}
im_conf_item
{
set rest_otype_read_all_p
[
im_permission
$
current
_
user_id
"view_conf_items_all"
]
}
im_invoices
{
set rest_otype_read_all_p
[
im_permission
$
current
_
user_id
"view_finance"
]
}
im_project
{
set rest_otype_read_all_p
[
im_permission
$
current
_
user_id
"view_projects_all"
]
}
im_user_absence
{
set rest_otype_read_all_p
[
im_permission
$
current
_
user_id
"view_absences_all"
]
}
im_office
{
set rest_otype_read_all_p
[
im_permission
$
current
_
user_id
"view_offices_all"
]
}
im_ticket
{
set rest_otype_read_all_p
[
im_permission
$
current
_
user_id
"view_tickets_all"
]
}
im_timesheet_task
{
set rest_otype_read_all_p
[
im_permission
$
current
_
user_id
"view_timesheet_tasks_all"
]
}
im_timesheet_invoices
{
set rest_otype_read_all_p
[
im_permission
$
current
_
user_id
"view_finance"
]
}
im_trans_invoices
{
set rest_otype_read_all_p
[
im_permission
$
current
_
user_id
"view_finance"
]
}
im_translation_task
{
}
user
{
}
default
{
...
...
@@ -874,7 +875,7 @@ ad_proc -private im_rest_get_object_type {
}
file_storage_object
{
# file storage object needs additional security
lappend where_clause_unchecked_list
"'t' = acs_permission__permission_p(o.object_id,
$user
_id, 'read')"
lappend where_clause_unchecked_list
"'t' = acs_permission__permission_p(o.object_id,
$
current
_
user_id, 'read')"
}
}
...
...
@@ -940,7 +941,7 @@ ad_proc -private im_rest_get_object_type {
if
{
!$read_p
}
{
# This is one of the
"custom"
object types - check the permission:
# This may be quite slow checking 100.000 objects one-by-one...
eval
"
${rest_otype}
_permissions
$user
_id
$rest
_oid view_p read_p write_p admin_p"
eval
"
${rest_otype}
_permissions
$
current
_
user_id
$rest
_oid view_p read_p write_p admin_p"
}
if
{
!$read_p
}
{
continue
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment