Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix PUT behavior with User-Restricted Resource Access #1130

Merged
merged 2 commits into from Apr 3, 2018

Conversation

@lmoretto
Copy link
Contributor

@lmoretto lmoretto commented Mar 30, 2018

This PR fixes the behavior of PUT requests when User-Restricted Resource Access is enabled.

More in particular it ensures that, under every circumstance, users are unable to overwrite items owned by other users.

auth_field,
request_auth_value)
)
desc = 'Incompatible User-Restricted Resource ' \
Copy link
Member

@nicolaiarocci nicolaiarocci Apr 3, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this might disclose a little too much info to the client. Yes, the desc field is only emitted in debug mode, but you never know someone might leave debug on by mistake.

Loading

Copy link
Contributor Author

@lmoretto lmoretto Apr 3, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The description string was already present, I didn't change it. I simply restructured this piece of code to fix a Flake8 line too long error. Do you want me to change the description anyway? What should I write?

Loading

Copy link
Member

@nicolaiarocci nicolaiarocci Apr 3, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, you are right, it was there already. Let us obfuscate it a little bit, maybe by simply returning the first part of the message (drop the "request was for but xx was excpected")

Loading

Copy link
Contributor Author

@lmoretto lmoretto Apr 3, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done ;)

Loading

@nicolaiarocci nicolaiarocci added this to the 0.8 milestone Apr 3, 2018
@nicolaiarocci nicolaiarocci merged commit 4ceac4d into pyeve:master Apr 3, 2018
1 check passed
Loading
nicolaiarocci added a commit that referenced this issue Apr 3, 2018
@lmoretto lmoretto deleted the fix_user_restricted_PUT branch Apr 3, 2018
lexhung added a commit to lexhung/eve that referenced this issue Dec 12, 2018
* upstream/master: (32 commits)
  Get rid of unwanted .vscode folder
  Add support for mongo $box geo query operator
  Marsch Huynh
  Improve partial downloads documentation
  Changelog for pyeve#1050
  Test coverage for pyeve#1050
  A little refactoring (DRY). Addresses pyeve#1050.
  fix: media endpoint
  Support partial request for media resource
  Officially deprecate Python 2.6
  Changelog for pyeve#1130
  Reduced error description details
  Fix PUT behavior with User-Restricted Resource Access
  flake8
  typo
  Hung Le
  Changelog for pyeve#1095.
  Regression test for PR pyeve#1095.
  Oplog skipped even if confg.OPLOG=True
  DHuan
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants