##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

Updated boolean checks in API permissions calls
marcink -
r3898:c9f5a397 beta
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -116,7 +116,7 b' def get_repo_or_error(repoid):'
116 """
116 """
117 Get repo by id or name or return JsonRPCError if not found
117 Get repo by id or name or return JsonRPCError if not found
118
118
119 :param userid:
119 :param repoid:
120 """
120 """
121 repo = RepoModel().get_repo(repoid)
121 repo = RepoModel().get_repo(repoid)
122 if repo is None:
122 if repo is None:
@@ -215,7 +215,7 b' class ApiController(JSONRPCController):'
215 :param repoid:
215 :param repoid:
216 """
216 """
217 repo = get_repo_or_error(repoid)
217 repo = get_repo_or_error(repoid)
218 if HasPermissionAnyApi('hg.admin')(user=apiuser) is False:
218 if not HasPermissionAnyApi('hg.admin')(user=apiuser):
219 # check if we have admin permission for this repo !
219 # check if we have admin permission for this repo !
220 if HasRepoPermissionAnyApi('repository.admin',
220 if HasRepoPermissionAnyApi('repository.admin',
221 'repository.write')(user=apiuser,
221 'repository.write')(user=apiuser,
@@ -231,6 +231,7 b' class ApiController(JSONRPCController):'
231 'Error occurred during cache invalidation action'
231 'Error occurred during cache invalidation action'
232 )
232 )
233
233
234 # permission check inside
234 def lock(self, apiuser, repoid, locked=Optional(None),
235 def lock(self, apiuser, repoid, locked=Optional(None),
235 userid=Optional(OAttr('apiuser'))):
236 userid=Optional(OAttr('apiuser'))):
236 """
237 """
@@ -323,9 +324,8 b' class ApiController(JSONRPCController):'
323 :param apiuser:
324 :param apiuser:
324 :param userid:
325 :param userid:
325 """
326 """
326 if HasPermissionAnyApi('hg.admin')(user=apiuser):
327
327 pass
328 if not HasPermissionAnyApi('hg.admin')(user=apiuser):
328 else:
329 #make sure normal user does not pass someone else userid,
329 #make sure normal user does not pass someone else userid,
330 #he is not allowed to do that
330 #he is not allowed to do that
331 if not isinstance(userid, Optional) and userid != apiuser.user_id:
331 if not isinstance(userid, Optional) and userid != apiuser.user_id:
@@ -375,7 +375,7 b' class ApiController(JSONRPCController):'
375 :param apiuser:
375 :param apiuser:
376 :param userid:
376 :param userid:
377 """
377 """
378 if HasPermissionAnyApi('hg.admin')(user=apiuser) is False:
378 if not HasPermissionAnyApi('hg.admin')(user=apiuser):
379 #make sure normal user does not pass someone else userid,
379 #make sure normal user does not pass someone else userid,
380 #he is not allowed to do that
380 #he is not allowed to do that
381 if not isinstance(userid, Optional) and userid != apiuser.user_id:
381 if not isinstance(userid, Optional) and userid != apiuser.user_id:
@@ -669,10 +669,10 b' class ApiController(JSONRPCController):'
669 """
669 """
670 repo = get_repo_or_error(repoid)
670 repo = get_repo_or_error(repoid)
671
671
672 if HasPermissionAnyApi('hg.admin')(user=apiuser) is False:
672 if not HasPermissionAnyApi('hg.admin')(user=apiuser):
673 # check if we have admin permission for this repo !
673 # check if we have admin permission for this repo !
674 if HasRepoPermissionAnyApi('repository.admin')(user=apiuser,
674 if not HasRepoPermissionAnyApi('repository.admin')(user=apiuser,
675 repo_name=repo.repo_name) is False:
675 repo_name=repo.repo_name):
676 raise JSONRPCError('repository `%s` does not exist' % (repoid))
676 raise JSONRPCError('repository `%s` does not exist' % (repoid))
677
677
678 members = []
678 members = []
@@ -701,6 +701,7 b' class ApiController(JSONRPCController):'
701 data['followers'] = followers
701 data['followers'] = followers
702 return data
702 return data
703
703
704 # permission check inside
704 def get_repos(self, apiuser):
705 def get_repos(self, apiuser):
705 """"
706 """"
706 Get all repositories
707 Get all repositories
General Comments 0
You need to be logged in to leave comments. Login now