![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fdf717d)
raw | patch | inline | side by side (parent: fdf717d)
| author | schlatterbeck <schlatterbeck@57a73879-2fb5-44c3-a270-3262357dd7e2> | |
| Fri, 29 Oct 2010 10:41:39 +0000 (10:41 +0000) | ||
| committer | schlatterbeck <schlatterbeck@57a73879-2fb5-44c3-a270-3262357dd7e2> | |
| Fri, 29 Oct 2010 10:41:39 +0000 (10:41 +0000) |
git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/roundup/trunk@4558 57a73879-2fb5-44c3-a270-3262357dd7e2
| CHANGES.txt | patch | blob | history | |
| doc/xmlrpc.txt | patch | blob | history | |
| roundup/xmlrpc.py | patch | blob | history |
diff --git a/CHANGES.txt b/CHANGES.txt
index 5cd7a38847532617f90a90832e5df082ac8f2e65..37d98928d8e1526940b7669e3e58aa69017d82c7 100644 (file)
--- a/CHANGES.txt
+++ b/CHANGES.txt
Features:
- Add explicit "Search" permissions, see Security Fix below.
+- Add "lookup" method to xmlrpc interface (Ralf Schlatterbeck)
Fixed:
diff --git a/doc/xmlrpc.txt b/doc/xmlrpc.txt
index c054715d5cd1158d8fea21e76418a422cbaa784e..e0353726737eae3f960e1e6acda5fab771c56f9c 100644 (file)
--- a/doc/xmlrpc.txt
+++ b/doc/xmlrpc.txt
``designator``. The new values are specified in ``arg_1`` through
``arg_N``. The arguments are name=value pairs (e.g. ``status='3'``).
+lookup arguments: *classname, key_value*
+
+ looks up the key_value for the given class. The class needs to
+ have a key and the user needs search permission on the key
+ attribute and id for the given classname.
+
filter arguments: *classname, list or None, attributes*
list can be None (requires ``allow_none=True`` when
[]
>>> roundup_server.filter('user',[],{'username':'adm'})
[]
+ >>> roundup_server.lookup('user','admin')
+ '1'
diff --git a/roundup/xmlrpc.py b/roundup/xmlrpc.py
index 9dda5f8aae55899b2f717baa7d8c0af6e704cff0..0b85ab9d07e59347ee772105f8050f689d3227ef 100644 (file)
--- a/roundup/xmlrpc.py
+++ b/roundup/xmlrpc.py
x = [id for id in result if check('View', uid, classname, itemid=id)]
return x
+ def lookup(self, classname, key):
+ cl = self.db.getclass(classname)
+ uid = self.db.getuid()
+ prop = cl.getkey()
+ check = self.db.security.hasSearchPermission
+ if not check(uid, classname, 'id') or not check(uid, classname, prop):
+ raise Unauthorised('Permission to search %s denied'%classname)
+ return cl.lookup(key)
+
def display(self, designator, *properties):
classname, itemid = hyperdb.splitDesignator(designator)
cl = self.db.getclass(classname)