diff options
author | Marcin Kuzminski <marcin@python-works.com> | 2013-01-13 23:11:55 +0100 |
---|---|---|
committer | Marcin Kuzminski <marcin@python-works.com> | 2013-01-13 23:11:55 +0100 |
commit | 411ca69291ea9c2466fa4ec83bfe1223c9da0890 (patch) | |
tree | a4015f1bc319503c8ec1e2a90ed3394f21c36a10 | |
parent | 445b01322399b3fc78587bf2078dad70559c0556 (diff) |
API method get_user can be executed by non-admin users ref #539
--HG--
branch : beta
-rw-r--r-- | docs/api/api.rst | 21 | ||||
-rw-r--r-- | rhodecode/controllers/api/api.py | 15 |
2 files changed, 22 insertions, 14 deletions
diff --git a/docs/api/api.rst b/docs/api/api.rst index d597a698..2718a11c 100644 --- a/docs/api/api.rst +++ b/docs/api/api.rst @@ -216,8 +216,9 @@ get_user -------- Get's an user by username or user_id, Returns empty result if user is not found. +If userid param is skipped it is set to id of user who is calling this method. This command can be executed only using api_key belonging to user with admin -rights. +rights, or regular users which cannot specify userid parameter. INPUT:: @@ -226,7 +227,7 @@ INPUT:: api_key : "<api_key>" method : "get_user" args : { - "userid" : "<username or user_id>" + "userid" : "<username or user_id Optional(=apiuser)>" } OUTPUT:: @@ -351,14 +352,14 @@ INPUT:: method : "update_user" args : { "userid" : "<user_id or username>", - "username" : "<username> = Optional", - "email" : "<useremail> = Optional", - "password" : "<password> = Optional", - "firstname" : "<firstname> = Optional", - "lastname" : "<lastname> = Optional", - "active" : "<bool> = Optional", - "admin" : "<bool> = Optional", - "ldap_dn" : "<ldap_dn> = Optional" + "username" : "<username> = Optional(None)", + "email" : "<useremail> = Optional(None)", + "password" : "<password> = Optional(None)", + "firstname" : "<firstname> = Optional(None)", + "lastname" : "<lastname> = Optional(None)", + "active" : "<bool> = Optional(None)", + "admin" : "<bool> = Optional(None)", + "ldap_dn" : "<ldap_dn> = Optional(None)" } OUTPUT:: diff --git a/rhodecode/controllers/api/api.py b/rhodecode/controllers/api/api.py index e4170b62..9786302b 100644 --- a/rhodecode/controllers/api/api.py +++ b/rhodecode/controllers/api/api.py @@ -222,7 +222,7 @@ class ApiController(JSONRPCController): #make sure normal user does not pass userid, he is not allowed to do that if not isinstance(userid, Optional): raise JSONRPCError( - 'Only RhodeCode admin can specify `userid` params' + 'Only RhodeCode admin can specify `userid` param' ) else: return abort(403) @@ -260,14 +260,21 @@ class ApiController(JSONRPCController): user_ips=ips ) - @HasPermissionAllDecorator('hg.admin') - def get_user(self, apiuser, userid): + def get_user(self, apiuser, userid=Optional(OAttr('apiuser'))): """" - Get a user by username + Get a user by username, or userid, if userid is given :param apiuser: :param userid: """ + if HasPermissionAnyApi('hg.admin')(user=apiuser): + pass + else: + if not isinstance(userid, Optional): + raise JSONRPCError( + 'Only RhodeCode admin can specify `userid` params' + ) + userid = apiuser.user_id user = get_user_or_error(userid) data = user.get_api_data() |