Strona główna Odkrywaj Pomoc
Zarejestruj się Zaloguj się
alberanid
/
eventman
1
0
Forkuj 0
Pliki Problemy 0 Oczekujące zmiany 0 Wiki
Przeglądaj źródła

better handling of tickets

Davide Alberani 8 lat temu
rodzic
b29f90747b
commit
63a09b7b17
1 zmienionych plików z 12 dodań i 7 usunięć
Widok podzielony Pokaż statystyki zmian
  1. 12 7
      eventman_server.py

+ 12 - 7
eventman_server.py
Wyświetl plik 

@@ -67,7 +67,7 @@ class BaseHandler(tornado.web.RequestHandler):
 
     """Base class for request handlers."""
 
     permissions = {
 
         'event|read': True,
 
-        'events|read': True,
 
+        'events-all|read': True,
 
         'event:tickets|all': True,
 
         'person|create': True
 
     }
 
@@ -280,7 +280,7 @@ class CollectionHandler(BaseHandler):
 
     def get(self, id_=None, resource=None, resource_id=None, acl=True, **kwargs):
 
         if resource:
 
             # Handle access to sub-resources.
 
-            permission = '%s:%s|read' % (self.document, resource)
 
+            permission = '%s:%s%s|read' % (self.document, resource, '-all' if resource_id is None else '')
 
             if acl and not self.has_permission(permission):
 
                 return self.build_error(status=401, message='insufficient permissions: %s' % permission)
 
             method = getattr(self, 'handle_get_%s' % resource, None)
 
@@ -301,7 +301,7 @@ class CollectionHandler(BaseHandler):
 
             # e.g.: {'events': [{'_id': 'obj1-id, ...}, {'_id': 'obj2-id, ...}, ...]}
 
             # Please, never return JSON lists that are not encapsulated into an object,
 
             # to avoid XSS vulnerabilities.
 
-            permission = '%s|read' % self.collection
 
+            permission = '%s-all|read' % self.collection
 
             if acl and not self.has_permission(permission):
 
                 return self.build_error(status=401, message='insufficient permissions: %s' % permission)
 
             self.write({self.collection: self.db.query(self.collection, self.arguments)})
 
@@ -538,23 +538,28 @@ class EventsHandler(CollectionHandler):
 
         query['_id'] = id_
 
         if ticket:
 
             query['persons._id'] = person_id
 
+            person_query = {'_id': person_id}
 
         elif person_id is not None:
 
             query['persons.person_id'] = person_id
 
+            person_query = person_id
 
+        else:
 
+            person_query = self.arguments
 
         old_person_data = {}
 
         current_event = self.db.query(self.collection, query)
 
         if current_event:
 
             current_event = current_event[0]
 
         else:
 
             current_event = {}
 
-        old_person_data = self._get_person_data(person_id or self.arguments,
 
+        old_person_data = self._get_person_data(person_query,
 
                 current_event.get('persons') or [])
 
         merged, doc = self.db.update('events', query,
 
                 data, updateList='persons', create=False)
 
-        new_person_data = self._get_person_data(person_id or self.arguments,
 
+        new_person_data = self._get_person_data(person_query,
 
                 doc.get('persons') or [])
 
         env = self._dict2env(new_person_data)
 
-        if person_id is None:
 
-            person_id = str(new_person_data.get('person_id'))
 
+        # always takes the person_id from the new person (it may have
 
+        # be a ticket_id).
 
+        person_id = str(new_person_data.get('person_id'))
 
         env.update({'PERSON_ID': person_id, 'EVENT_ID': id_,
 
             'EVENT_TITLE': doc.get('title', ''), 'WEB_USER': self.current_user,
 
             'WEB_REMOTE_IP': self.request.remote_ip})