kallithea Changeset - a0a8f38e8fb8

Changeset - a0a8f38e8fb8

Parent rev.

Child rev.

[Not reviewed]

beta

0 2 0

Marcin Kuzminski - 13 years ago 2013-01-13 23:11:55
marcin@python-works.com

API method get_user can be executed by non-admin users ref #539

2 files changed with 22 insertions and 14 deletions:

docs/api/api.rst

rhodecode/controllers/api/api.py

0 comments (0 inline, 0 general)

docs/api/api.rst

➞

Show inline comments

@@ @@ -213,23 +213,24 @@ OUTPUT:: @@
 get_user
 --------
 Get's an user by username or user_id, Returns empty result if user is not found.
 If userid param is skipped it is set to id of user who is calling this method.
 This command can be executed only using api_key belonging to user with admin
 rights.
+rights, or regular users which cannot specify userid parameter.
 INPUT::
     id : <id_for_response>
     api_key : "<api_key>"
     method :  "get_user"
     args :    {
                 "userid" : "<username or user_id>"
+                "userid" : "<username or user_id Optional(=apiuser)>"
+              }
 OUTPUT::
     id : <id_given_in_input>
     result: None if user does not exist or
@@ @@ -348,20 +349,20 @@ INPUT:: @@
     id : <id_for_response>
     api_key : "<api_key>"
     method :  "update_user"
     args :    {
                 "userid" : "<user_id or username>",
                 "username" :  "<username> = Optional",
                 "email" :     "<useremail> = Optional",
                 "password" :  "<password> = Optional",
                 "firstname" : "<firstname> = Optional",
                 "lastname" :  "<lastname> = Optional",
                 "active" :    "<bool> = Optional",
                 "admin" :     "<bool> = Optional",
                 "ldap_dn" :   "<ldap_dn> = Optional"
                 "username" :  "<username> = Optional(None)",
                 "email" :     "<useremail> = Optional(None)",
                 "password" :  "<password> = Optional(None)",
                 "firstname" : "<firstname> = Optional(None)",
                 "lastname" :  "<lastname> = Optional(None)",
                 "active" :    "<bool> = Optional(None)",
                 "admin" :     "<bool> = Optional(None)",
                 "ldap_dn" :   "<ldap_dn> = Optional(None)"
+              }
 OUTPUT::
     id : <id_given_in_input>
     result: {

rhodecode/controllers/api/api.py

➞

Show inline comments

@@ @@ -219,13 +219,13 @@ class ApiController(JSONRPCController): @@
         elif HasRepoPermissionAnyApi('repository.admin',
                                      'repository.write')(user=apiuser,
                                                          repo_name=repo.repo_name):
             #make sure normal user does not pass userid, he is not allowed to do that
             if not isinstance(userid, Optional):
                 raise JSONRPCError(
-                    'Only RhodeCode admin can specify `userid` params'
+                    'Only RhodeCode admin can specify `userid` param'
+                )
         else:
             return abort(403)
         if isinstance(userid, Optional):
             userid = apiuser.user_id
         user = get_user_or_error(userid)
@@ @@ -257,20 +257,27 @@ class ApiController(JSONRPCController): @@
         ips = UserIpMap.query().filter(UserIpMap.user == user).all()
         return dict(
             ip_addr_server=self.ip_addr,
             user_ips=ips
+        )
     @HasPermissionAllDecorator('hg.admin')
     def get_user(self, apiuser, userid):
     def get_user(self, apiuser, userid=Optional(OAttr('apiuser'))):
         """"
         Get a user by username
+        Get a user by username, or userid, if userid is given
         :param apiuser:
         :param userid:
         """
         if HasPermissionAnyApi('hg.admin')(user=apiuser):
             pass
         else:
             if not isinstance(userid, Optional):
                 raise JSONRPCError(
                     'Only RhodeCode admin can specify `userid` params'
+                )
             userid = apiuser.user_id
         user = get_user_or_error(userid)
         data = user.get_api_data()
         data['permissions'] = AuthUser(user_id=user.user_id).permissions
         return data

0 comments (0 inline, 0 general)