better handling of tickets
This commit is contained in:
parent
b29f90747b
commit
63a09b7b17
1 changed files with 12 additions and 7 deletions
|
|
@ -67,7 +67,7 @@ class BaseHandler(tornado.web.RequestHandler):
|
|||
"""Base class for request handlers."""
|
||||
permissions = {
|
||||
'event|read': True,
|
||||
'events|read': True,
|
||||
'events-all|read': True,
|
||||
'event:tickets|all': True,
|
||||
'person|create': True
|
||||
}
|
||||
|
|
@ -280,7 +280,7 @@ class CollectionHandler(BaseHandler):
|
|||
def get(self, id_=None, resource=None, resource_id=None, acl=True, **kwargs):
|
||||
if resource:
|
||||
# Handle access to sub-resources.
|
||||
permission = '%s:%s|read' % (self.document, resource)
|
||||
permission = '%s:%s%s|read' % (self.document, resource, '-all' if resource_id is None else '')
|
||||
if acl and not self.has_permission(permission):
|
||||
return self.build_error(status=401, message='insufficient permissions: %s' % permission)
|
||||
method = getattr(self, 'handle_get_%s' % resource, None)
|
||||
|
|
@ -301,7 +301,7 @@ class CollectionHandler(BaseHandler):
|
|||
# e.g.: {'events': [{'_id': 'obj1-id, ...}, {'_id': 'obj2-id, ...}, ...]}
|
||||
# Please, never return JSON lists that are not encapsulated into an object,
|
||||
# to avoid XSS vulnerabilities.
|
||||
permission = '%s|read' % self.collection
|
||||
permission = '%s-all|read' % self.collection
|
||||
if acl and not self.has_permission(permission):
|
||||
return self.build_error(status=401, message='insufficient permissions: %s' % permission)
|
||||
self.write({self.collection: self.db.query(self.collection, self.arguments)})
|
||||
|
|
@ -538,23 +538,28 @@ class EventsHandler(CollectionHandler):
|
|||
query['_id'] = id_
|
||||
if ticket:
|
||||
query['persons._id'] = person_id
|
||||
person_query = {'_id': person_id}
|
||||
elif person_id is not None:
|
||||
query['persons.person_id'] = person_id
|
||||
person_query = person_id
|
||||
else:
|
||||
person_query = self.arguments
|
||||
old_person_data = {}
|
||||
current_event = self.db.query(self.collection, query)
|
||||
if current_event:
|
||||
current_event = current_event[0]
|
||||
else:
|
||||
current_event = {}
|
||||
old_person_data = self._get_person_data(person_id or self.arguments,
|
||||
old_person_data = self._get_person_data(person_query,
|
||||
current_event.get('persons') or [])
|
||||
merged, doc = self.db.update('events', query,
|
||||
data, updateList='persons', create=False)
|
||||
new_person_data = self._get_person_data(person_id or self.arguments,
|
||||
new_person_data = self._get_person_data(person_query,
|
||||
doc.get('persons') or [])
|
||||
env = self._dict2env(new_person_data)
|
||||
if person_id is None:
|
||||
person_id = str(new_person_data.get('person_id'))
|
||||
# always takes the person_id from the new person (it may have
|
||||
# be a ticket_id).
|
||||
person_id = str(new_person_data.get('person_id'))
|
||||
env.update({'PERSON_ID': person_id, 'EVENT_ID': id_,
|
||||
'EVENT_TITLE': doc.get('title', ''), 'WEB_USER': self.current_user,
|
||||
'WEB_REMOTE_IP': self.request.remote_ip})
|
||||
|
|
|
|||
Loading…
Reference in a new issue