From b6ef96022c0464017ca09892587584b179c31ae7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= Date: Wed, 13 Jul 2016 15:09:40 +0200 Subject: [PATCH] Added OPTIONS call to get allowed options on node types This allows us to check whether a user is allowed to comment on a project without requiring access to the project itself. --- pillar/application/modules/projects.py | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/pillar/application/modules/projects.py b/pillar/application/modules/projects.py index 4b3cb2ec..63c4ea9b 100644 --- a/pillar/application/modules/projects.py +++ b/pillar/application/modules/projects.py @@ -5,11 +5,11 @@ import json from bson import ObjectId from eve.methods.post import post_internal from eve.methods.patch import patch_internal -from flask import g, Blueprint, request, abort, current_app +from flask import g, Blueprint, request, abort, current_app, make_response from gcloud import exceptions as gcs_exceptions from werkzeug import exceptions as wz_exceptions -from application.utils import remove_private_keys, jsonify, mongo +from application.utils import remove_private_keys, jsonify, mongo, str2id from application.utils import authorization, authentication from application.utils.gcs import GoogleCloudStorageBucket from application.utils.authorization import user_has_role, check_permissions, require_login @@ -431,6 +431,27 @@ def projects_node_type_has_method(response): project_node_type_has_method(project) +@blueprint.route('//', methods=['OPTIONS', 'GET']) +def get_allowed_methods(project_id=None, node_type=None): + """Returns allowed methods to create a node of a certain type. + + Either project_id or parent_node_id must be given. If the latter is given, + the former is deducted from it. + """ + + log.debug('OPTIONS call on project_id=%s / node_type=%s', project_id, node_type) + + project = mongo.find_one_or_404('projects', str2id(project_id)) + proj_methods = authorization.compute_allowed_methods('projects', project, node_type) + + resp = make_response() + resp.headers['Allowed'] = ', '.join(sorted(proj_methods)) + log.debug(' -> Allowed: %s', resp.headers['Allowed']) + resp.status_code = 204 + + return resp + + def setup_app(app, url_prefix): app.on_replace_projects += override_is_private_field app.on_replace_projects += before_edit_check_permissions