appengine-rest-server
appengine-rest-server copied to clipboard
jahlborn
Is there any mechanism to protect some fields
just like filed like author,publish_time,update_time,I wish it could not modify
by rest post method, how could I do it?
Original issue reported on code.google.com by [email protected] on 25 Nov 2010 at 4:52
There is currently no builtin support for this. If you wanted to do it
yourself, the modification happens in the Dispatcher.update_impl (single
property update) and Dispatcher.model_from_xml (multi-property update) methods.
this feature has been mentioned before and there are a variety of ways it could
be handled. i'll leave this enhancement request here and see if it gathers any
more interest/ideas.
Original comment by [email protected] on 27 Nov 2010 at 7:35
- Changed title: Is there any mechanism to protect some fields
- Added labels: Type-Enhancement
- Removed labels: Type-Defect
I am now using a CustomModelHandler with custom create(self, props) method, to
resolve this problem, to use a CustomModelHandler, I add
Dispatcher.model_handler_class , this must be set before add_models.
the patch contains another bugfix of content-type match, for request header
with "Content-Type":"application/json; charset=UTF-8" will not match correctly
before, using startswith instead
Original comment by [email protected] on 28 Nov 2010 at 4:23
Attachments:
using a custom create() method will only solve the problem for initial Model
creation. that does not stop those fields from being modified in an update
call.
Original comment by [email protected] on 29 Nov 2010 at 2:21
you are right. so I make another modification. added a method
Authorizer.filter_props(model_type, props, model, is_replace) which returns
props.
please check it.
Original comment by [email protected] on 29 Nov 2010 at 3:51
Attachments:
Me really interested in this enhancement, too. It's vital to prevent from the
modifying such hidden properties as created, updated, author, etc. So
Authorizer should definitely be able to check the access to model properties.
Thanks to [email protected] for patches. I will try them soon.
Original comment by [email protected] on 25 Mar 2011 at 1:56
Btw, this patch does still not address all update possibilities. an individual
property may be set using the "model/key/property_name" path (handled in
update_impl as a "single property update"). should probably address this with
methods like filter_read_properties, filter_write_properties,
can_read_property, can_write_property on the Authorizer.
also, if you handle this in the Authorizer, do you still need a custom
ModelHandler?
Original comment by [email protected] on 25 Mar 2011 at 6:47