diff options
| author | Bharat Mediratta <bharat@menalto.com> | 2010-04-04 11:55:54 -0700 |
|---|---|---|
| committer | Bharat Mediratta <bharat@menalto.com> | 2010-04-04 11:55:54 -0700 |
| commit | 5679e30ef6c68272cce295bd593bc23c9ec1e1b3 (patch) | |
| tree | 8c2b5f9ed61aca0b2ad16478b9ee605a9398757d /modules/tag/helpers | |
| parent | 4e450b5a9664d2a24b74050f7b410cd581fc41cb (diff) | |
REST changes: Allow PUT and POST requests to modify members, not
just entity.
TESTS ARE NOT UPDATED YET.
- Fix item_rest::get() to maintain the proper sort order, which
requires duplicating some Item_Model code.
- Elide "weight" from the REST version of item
- Adjust the weight of members according to the order they're returned
from the client. You can't add or remove members here, you can only
reorder them.
- Changed the wire protocol to handle more complex values.
Now "entity" and "members" are JSON encoded. The Gallery3
helper does this correctly.
- Changed the wire protocol for tag_item -- now it stores the
tag and item urls in the entity, not as members. This is more
consistent.
- Added missing security for renaming and deleting tags.
- Got rid of vestigial tag_rest::post(). We add/remove tags
via the relationship.
Diffstat (limited to 'modules/tag/helpers')
| -rw-r--r-- | modules/tag/helpers/item_tags_rest.php | 5 | ||||
| -rw-r--r-- | modules/tag/helpers/tag_item_rest.php | 2 | ||||
| -rw-r--r-- | modules/tag/helpers/tag_items_rest.php | 4 | ||||
| -rw-r--r-- | modules/tag/helpers/tag_rest.php | 27 | ||||
| -rw-r--r-- | modules/tag/helpers/tags_rest.php | 6 |
5 files changed, 21 insertions, 23 deletions
diff --git a/modules/tag/helpers/item_tags_rest.php b/modules/tag/helpers/item_tags_rest.php index 8a1b1e8b..02c79e5d 100644 --- a/modules/tag/helpers/item_tags_rest.php +++ b/modules/tag/helpers/item_tags_rest.php @@ -31,8 +31,8 @@ class item_tags_rest_Core { } static function post($request) { - $tag = rest::resolve($request->params->tag); - $item = rest::resolve($request->params->item); + $tag = rest::resolve($request->params->entity->tag); + $item = rest::resolve($request->params->entity->item); access::required("view", $item); tag::add($item, $tag->name); @@ -45,6 +45,7 @@ class item_tags_rest_Core { static function delete($request) { list ($tag, $item) = rest::resolve($request->url); + access::required("edit", $item); $tag->remove($item); $tag->save(); } diff --git a/modules/tag/helpers/tag_item_rest.php b/modules/tag/helpers/tag_item_rest.php index bce00a9f..17cb726e 100644 --- a/modules/tag/helpers/tag_item_rest.php +++ b/modules/tag/helpers/tag_item_rest.php @@ -22,7 +22,7 @@ class tag_item_rest_Core { list ($tag, $item) = rest::resolve($request->url); return array( "url" => $request->url, - "members" => array( + "entity" => array( "tag" => rest::url("tag", $tag), "item" => rest::url("item", $item))); } diff --git a/modules/tag/helpers/tag_items_rest.php b/modules/tag/helpers/tag_items_rest.php index 003c7c95..848c2cd3 100644 --- a/modules/tag/helpers/tag_items_rest.php +++ b/modules/tag/helpers/tag_items_rest.php @@ -33,8 +33,8 @@ class tag_items_rest_Core { } static function post($request) { - $tag = rest::resolve($request->params->tag); - $item = rest::resolve($request->params->item); + $tag = rest::resolve($request->params->entity->tag); + $item = rest::resolve($request->params->entity->item); access::required("view", $item); if (!$tag->loaded()) { diff --git a/modules/tag/helpers/tag_rest.php b/modules/tag/helpers/tag_rest.php index f30706bd..e0b7bd87 100644 --- a/modules/tag/helpers/tag_rest.php +++ b/modules/tag/helpers/tag_rest.php @@ -36,28 +36,25 @@ class tag_rest_Core { "members" => $tag_items))); } - static function post($request) { - if (empty($request->params->url)) { - throw new Rest_Exception("Bad request", 400); - } - - $tag = rest::resolve($request->url); - $item = rest::resolve($request->params->url); - access::required("edit", $item); - - tag::add($item, $tag->name); - return array("url" => rest::url("tag_item", $tag, $item)); - } - static function put($request) { + // Who can we allow to edit a tag name? If we allow anybody to do it then any logged in + // user can rename all your tags to something offensive. Right now limit renaming to admins. + if (!identity::active_user()->admin) { + access::forbidden(); + } $tag = rest::resolve($request->url); - if (isset($request->params->name)) { - $tag->name = $request->params->name; + if (isset($request->params->entity->name)) { + $tag->name = $request->params->entity->name; $tag->save(); } } static function delete($request) { + // Restrict deleting tags to admins. Otherwise, a logged in user can do great harm to an + // install. + if (!identity::active_user()->admin) { + access::forbidden(); + } $tag = rest::resolve($request->url); $tag->delete(); } diff --git a/modules/tag/helpers/tags_rest.php b/modules/tag/helpers/tags_rest.php index 82826d8e..434e774a 100644 --- a/modules/tag/helpers/tags_rest.php +++ b/modules/tag/helpers/tags_rest.php @@ -40,13 +40,13 @@ class tags_rest_Core { } } - if (empty($request->params->name)) { + if (empty($request->params->entity->name)) { throw new Rest_Exception("Bad Request", 400); } - $tag = ORM::factory("tag")->where("name", "=", $request->params->name)->find(); + $tag = ORM::factory("tag")->where("name", "=", $request->params->entity->name)->find(); if (!$tag->loaded()) { - $tag->name = $request->params->name; + $tag->name = $request->params->entity->name; $tag->count = 0; $tag->save(); } |