Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix PUT behavior with User-Restricted Resource Access #1130

Merged
merged 2 commits into from Apr 3, 2018

Conversation

Projects
None yet
2 participants
@lmoretto
Copy link
Contributor

lmoretto commented Mar 30, 2018

This PR fixes the behavior of PUT requests when User-Restricted Resource Access is enabled.

More in particular it ensures that, under every circumstance, users are unable to overwrite items owned by other users.

auth_field,
request_auth_value)
)
desc = 'Incompatible User-Restricted Resource ' \

This comment has been minimized.

@nicolaiarocci

nicolaiarocci Apr 3, 2018

Member

this might disclose a little too much info to the client. Yes, the desc field is only emitted in debug mode, but you never know someone might leave debug on by mistake.

This comment has been minimized.

@lmoretto

lmoretto Apr 3, 2018

Author Contributor

The description string was already present, I didn't change it. I simply restructured this piece of code to fix a Flake8 line too long error. Do you want me to change the description anyway? What should I write?

This comment has been minimized.

@nicolaiarocci

nicolaiarocci Apr 3, 2018

Member

Yes, you are right, it was there already. Let us obfuscate it a little bit, maybe by simply returning the first part of the message (drop the "request was for but xx was excpected")

This comment has been minimized.

@lmoretto

lmoretto Apr 3, 2018

Author Contributor

done ;)

@nicolaiarocci nicolaiarocci added this to the 0.8 milestone Apr 3, 2018

@nicolaiarocci nicolaiarocci merged commit 4ceac4d into pyeve:master Apr 3, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

nicolaiarocci added a commit that referenced this pull request Apr 3, 2018

@lmoretto lmoretto deleted the lmoretto:fix_user_restricted_PUT branch Apr 3, 2018

lexhung added a commit to lexhung/eve that referenced this pull request Dec 12, 2018

Merge remote-tracking branch 'upstream/master' into current-develop
* upstream/master: (32 commits)
  Get rid of unwanted .vscode folder
  Add support for mongo $box geo query operator
  Marsch Huynh
  Improve partial downloads documentation
  Changelog for pyeve#1050
  Test coverage for pyeve#1050
  A little refactoring (DRY). Addresses pyeve#1050.
  fix: media endpoint
  Support partial request for media resource
  Officially deprecate Python 2.6
  Changelog for pyeve#1130
  Reduced error description details
  Fix PUT behavior with User-Restricted Resource Access
  flake8
  typo
  Hung Le
  Changelog for pyeve#1095.
  Regression test for PR pyeve#1095.
  Oplog skipped even if confg.OPLOG=True
  DHuan
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.