Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

[#567] Enable completion endpoint, limit output #568

Merged
merged 4 commits into from

2 participants

@nigelbabu
Owner

Fixes #567

@tryggvib
Owner

I'd like this to be only visible to logged in users. We shouldn't make our user base public "just because".

@tryggvib
Owner

I'd like the fix I mention in commit 0398b21 (restrict access to logged in users) before merging this

nigelbabu added some commits
@nigelbabu nigelbabu Merge branch 'master' into 567-completion-api 61f7ca8
@nigelbabu nigelbabu Add access check and tests for completion
* _complete endpoint only visible to logged in users.
* Tests to verify access check.
* Re-enable skipped tests.
a2cf6a6
@tryggvib
Owner

I vouch for this.

@tryggvib tryggvib merged commit d82f8b5 into master
@tryggvib tryggvib deleted the 567-completion-api branch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 29, 2013
  1. @nigelbabu
  2. @nigelbabu
Commits on Apr 4, 2013
  1. @nigelbabu
  2. @nigelbabu

    Add access check and tests for completion

    nigelbabu authored
    * _complete endpoint only visible to logged in users.
    * Tests to verify access check.
    * Re-enable skipped tests.
This page is out of date. Refresh to see the latest.
View
14 openspending/ui/controllers/account.py
@@ -112,14 +112,15 @@ def dashboard(self, format='html'):
def complete(self, format='json'):
self._disable_cache()
- if not (c.account and c.account.admin):
- response.status = 403
- return to_jsonp({'errors': _("You are not authorized to see that page")})
parser = DistinctParamParser(request.params)
params, errors = parser.parse()
if errors:
response.status = 400
return {'errors': errors}
+ if not c.account:
+ response.status = 403
+ return to_jsonp({'errors': _("You are not authorized to see that "
+ "page")})
query = db.session.query(Account)
filter_string = params.get('q') + '%'
@@ -127,9 +128,12 @@ def complete(self, format='json'):
Account.fullname.ilike(filter_string)))
count = query.count()
query = query.limit(params.get('pagesize'))
- query = query.offset(int((params.get('page') - 1) * params.get('pagesize')))
+ query = query.offset(int((params.get('page') - 1) *
+ params.get('pagesize')))
+ results = [dict(fullname=x.fullname, name=x.name) for x in list(query)]
+
return to_jsonp({
- 'results': list(query),
+ 'results': results,
'count': count
})
View
19 openspending/ui/test/functional/test_account.py
@@ -65,23 +65,30 @@ def test_reset_get(self):
email=account.email))
assert '/settings' in response.headers['location'], response.headers
+ def test_completion_access_check(self):
+ response = self.app.get(url(controller='account', action='complete'),
+ expect_errors=True)
+ obj = json.loads(response.body)
+ assert u'You are not authorized to see that page' == obj['errors']
+
def test_distinct_json(self):
- from nose.plugins.skip import SkipTest
- raise SkipTest
- h.make_account()
+ test = h.make_account()
response = self.app.get(url(controller='account', action='complete'),
- params={})
+ extra_environ={'REMOTE_USER': str(test.name)})
obj = json.loads(response.body)['results']
+ assert obj[0].keys() == [u'fullname', u'name']
assert len(obj) == 1, obj
assert obj[0]['name'] == 'test', obj[0]
response = self.app.get(url(controller='account', action='complete'),
- params={'q': 'tes'})
+ params={'q': 'tes'},
+ extra_environ={'REMOTE_USER': str(test.name)})
obj = json.loads(response.body)['results']
assert len(obj) == 1, obj
response = self.app.get(url(controller='account', action='complete'),
- params={'q': 'foo'})
+ params={'q': 'foo'},
+ extra_environ={'REMOTE_USER': str(test.name)})
obj = json.loads(response.body)['results']
assert len(obj) == 0, obj
Something went wrong with that request. Please try again.