Mercurial > kallithea
changeset 3162:a0a8f38e8fb8 beta
API method get_user can be executed by non-admin users ref #539
author | Marcin Kuzminski <marcin@python-works.com> |
---|---|
date | Sun, 13 Jan 2013 23:11:55 +0100 |
parents | 3563c47e52fd |
children | 28571535dd61 |
files | docs/api/api.rst rhodecode/controllers/api/api.py |
diffstat | 2 files changed, 22 insertions(+), 14 deletions(-) [+] |
line wrap: on
line diff
--- a/docs/api/api.rst Sun Jan 13 22:55:56 2013 +0100 +++ b/docs/api/api.rst Sun Jan 13 23:11:55 2013 +0100 @@ -216,8 +216,9 @@ -------- Get's an user by username or user_id, Returns empty result if user is not found. +If userid param is skipped it is set to id of user who is calling this method. This command can be executed only using api_key belonging to user with admin -rights. +rights, or regular users which cannot specify userid parameter. INPUT:: @@ -226,7 +227,7 @@ api_key : "<api_key>" method : "get_user" args : { - "userid" : "<username or user_id>" + "userid" : "<username or user_id Optional(=apiuser)>" } OUTPUT:: @@ -351,14 +352,14 @@ method : "update_user" args : { "userid" : "<user_id or username>", - "username" : "<username> = Optional", - "email" : "<useremail> = Optional", - "password" : "<password> = Optional", - "firstname" : "<firstname> = Optional", - "lastname" : "<lastname> = Optional", - "active" : "<bool> = Optional", - "admin" : "<bool> = Optional", - "ldap_dn" : "<ldap_dn> = Optional" + "username" : "<username> = Optional(None)", + "email" : "<useremail> = Optional(None)", + "password" : "<password> = Optional(None)", + "firstname" : "<firstname> = Optional(None)", + "lastname" : "<lastname> = Optional(None)", + "active" : "<bool> = Optional(None)", + "admin" : "<bool> = Optional(None)", + "ldap_dn" : "<ldap_dn> = Optional(None)" } OUTPUT::
--- a/rhodecode/controllers/api/api.py Sun Jan 13 22:55:56 2013 +0100 +++ b/rhodecode/controllers/api/api.py Sun Jan 13 23:11:55 2013 +0100 @@ -222,7 +222,7 @@ #make sure normal user does not pass userid, he is not allowed to do that if not isinstance(userid, Optional): raise JSONRPCError( - 'Only RhodeCode admin can specify `userid` params' + 'Only RhodeCode admin can specify `userid` param' ) else: return abort(403) @@ -260,14 +260,21 @@ user_ips=ips ) - @HasPermissionAllDecorator('hg.admin') - def get_user(self, apiuser, userid): + def get_user(self, apiuser, userid=Optional(OAttr('apiuser'))): """" - Get a user by username + Get a user by username, or userid, if userid is given :param apiuser: :param userid: """ + if HasPermissionAnyApi('hg.admin')(user=apiuser): + pass + else: + if not isinstance(userid, Optional): + raise JSONRPCError( + 'Only RhodeCode admin can specify `userid` params' + ) + userid = apiuser.user_id user = get_user_or_error(userid) data = user.get_api_data()