For debugging, we keep expired tokens around for a few days, so that we
can determine that a token was expired rather than not created in the
first place. It also grants some leeway in clock synchronisation.
Before this, if there was any project returned by a query on /projects
that the user did not have access to, a 403 would be returned. Now we
just don't include that project in the result.
For unauthenticated/non-subscriber users, image file documents retain
their variations. All other documents have ther variations stripped.
Also the links + expiry info to the original file are removed for all
file types.
Instead of the additional 'is_private' field, we now just use
the permission system and set/remove world GET permissions.
'is_private' is still kept for backward compatibility and possibly
easy querying for public projects, and is always set based on
world GET permissions.
Manage users of a project. In this initial implementation, we handle
addition and removal of a user to the admin group of a project. No
changes are done on the project itself.
Anonymous users can now obtain full_name and email fields from any
user. Authenticated users can also obtain those fields from other
users, and all info about themselves.
- Admins can PUT everything
- Users can only PUT themselves
- The 'auth' field is always taken from the original, and never overwritten
by the PUT. It can be missing from the request, so you can GET and then
PUT the same data.
- Nobody can POST or DELETE users
This also updates Cerberus to 0.9.2 and simplejson to 3.8.2.
I've also changed the way we get to the application object, by replacing
from application import app
with
from flask import current_app
Certain fields are limited for subscribers. Also, subscribers are checked
against the project permissions.
Users with the 'admin' role can edit all fields, on any project.
This gives us much more concrete information when a test fails.
Note that this info is generally put into the HTTP response data,
and not logged to any logger.
SCST tokens are now stored in the 'tokens' table.
This unifies old token handling and new subclient-specific tokens.
Also ensures the BlenderID expiry of the token is taken into account.
Removes use of httpretty, in favour of responses.
