Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix PUT behavior with User-Restricted Resource Access #1130

Merged
merged 2 commits into from
Apr 3, 2018
Merged

Fix PUT behavior with User-Restricted Resource Access #1130

merged 2 commits into from
Apr 3, 2018

Conversation

lmoretto
Copy link
Contributor

This PR fixes the behavior of PUT requests when User-Restricted Resource Access is enabled.

More in particular it ensures that, under every circumstance, users are unable to overwrite items owned by other users.

nicolaiarocci
nicolaiarocci requested changes Apr 3, 2018
View reviewed changes
eve/io/base.py
auth_field,
request_auth_value)
)
desc = 'Incompatible User-Restricted Resource ' \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this might disclose a little too much info to the client. Yes, the desc field is only emitted in debug mode, but you never know someone might leave debug on by mistake.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The description string was already present, I didn't change it. I simply restructured this piece of code to fix a Flake8 line too long error. Do you want me to change the description anyway? What should I write?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, you are right, it was there already. Let us obfuscate it a little bit, maybe by simply returning the first part of the message (drop the "request was for but xx was excpected")

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done ;)

@nicolaiarocci nicolaiarocci added this to the 0.8 milestone Apr 3, 2018
@nicolaiarocci nicolaiarocci merged commit 4ceac4d into pyeve:master Apr 3, 2018
nicolaiarocci added a commit that referenced this pull request Apr 3, 2018
@nicolaiarocci
Changelog for #1130
4d03256
@lmoretto lmoretto deleted the fix_user_restricted_PUT branch April 3, 2018 15:06
lexhung added a commit to lexhung/eve that referenced this pull request Dec 12, 2018
@lexhung
Merge remote-tracking branch 'upstream/master' into current-develop
f1431ea 
* upstream/master: (32 commits)
  Get rid of unwanted .vscode folder
  Add support for mongo $box geo query operator
  Marsch Huynh
  Improve partial downloads documentation
  Changelog for pyeve#1050
  Test coverage for pyeve#1050
  A little refactoring (DRY). Addresses pyeve#1050.
  fix: media endpoint
  Support partial request for media resource
  Officially deprecate Python 2.6
  Changelog for pyeve#1130
  Reduced error description details
  Fix PUT behavior with User-Restricted Resource Access
  flake8
  typo
  Hung Le
  Changelog for pyeve#1095.
  Regression test for PR pyeve#1095.
  Oplog skipped even if confg.OPLOG=True
  DHuan
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicolaiarocci nicolaiarocci nicolaiarocci approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.8
Development

Successfully merging this pull request may close these issues.
2 participants
@lmoretto @nicolaiarocci