@@ -268,6 +268,7 @@ def _post_one(self,key,tag):
268268 tag = tag or key
269269 modelname = key
270270 params = self .request_data [key ]
271+ params_role = params .get ("@role" )
271272
272273 try :
273274 model = getattr (models ,modelname )
@@ -283,17 +284,33 @@ def _post_one(self,key,tag):
283284 ADD = request_setting_POST .get ("ADD" )
284285 permission_check_ok = False
285286 if ADD :
286- roles = ADD .get ("roles" )
287+ ADD_role = ADD .get ("@role" )
288+ if ADD_role and not params_role :
289+ params_role = ADD_role
290+
291+ POST = model_setting .get ("POST" )
292+ if POST :
293+ roles = POST .get ("roles" )
294+ if params_role :
295+ if not params_role in roles :
296+ return json ({"code" :401 ,"msg" :"'%s' not accessible by role '%s'" % (modelname ,params_role )})
297+ roles = [params_role ]
298+
287299 if roles :
288- for r in roles :
289- if r == "OWNER" :
300+ for role in roles :
301+ if role == "OWNER" :
290302 if request .user :
291303 permission_check_ok = True
292- if user_id_field :
293- params [user_id_field ] = request .user .id
294- else :
295- #need OWNER, but don't know how to set user id
296- return json ({"code" :400 ,"msg" :"no permission" })
304+ if user_id_field :
305+ params [user_id_field ] = request .user .id
306+ else :
307+ #need OWNER, but don't know how to set user id
308+ return json ({"code" :400 ,"msg" :"no permission" })
309+ break
310+ else :
311+ if functions .has_role (request .user ,role ):
312+ permission_check_ok = True
313+ break
297314 if not permission_check_ok :
298315 return json ({"code" :400 ,"msg" :"no permission" })
299316
@@ -347,6 +364,7 @@ def _put_one(self,key,tag):
347364 tag = tag or key
348365 modelname = key
349366 params = self .request_data [key ]
367+ params_role = params .get ("@role" )
350368
351369 try :
352370 model = getattr (models ,modelname )
@@ -359,9 +377,14 @@ def _put_one(self,key,tag):
359377
360378 request_setting_model = request_setting_tag .get (modelname ,{})
361379 request_setting_PUT = request_setting_model .get ("PUT" ,{})
362- ADD = request_setting_PUT .get ("ADD" )
363380 permission_check_ok = False
364381
382+ ADD = request_setting_PUT .get ("ADD" )
383+ if ADD :
384+ ADD_role = ADD .get ("@role" )
385+ if ADD_role and not params_role :
386+ params_role = ADD_role
387+
365388 try :
366389 id_ = params .get ("id" )
367390 if not id_ :
@@ -371,17 +394,28 @@ def _put_one(self,key,tag):
371394 return json ({"code" :400 ,"msg" :"id '%s' cannot convert to integer" % (params .get ("id" ))})
372395 obj = model .get (id_ )
373396
374- if ADD :
375- roles = ADD .get ("roles" )
397+ PUT = model_setting .get ("PUT" )
398+ if PUT :
399+ roles = PUT .get ("roles" )
400+ if params_role :
401+ if not params_role in roles :
402+ return json ({"code" :401 ,"msg" :"'%s' not accessible by role '%s'" % (modelname ,params_role )})
403+ roles = [params_role ]
376404 if roles :
377- for r in roles :
378- if r == "OWNER" :
405+ for role in roles :
406+ if role == "OWNER" :
379407 if request .user :
380408 if user_id_field :
381- if getattr ( obj , user_id_field )! =request .user .id :
409+ if obj . to_dict (). get ( user_id_field )= =request .user .id :
382410 permission_check_ok = True
411+ break
383412 else :
384413 return json ({"code" :400 ,"msg" :"need login user" })
414+ else :
415+ if functions .has_role (request .user ,role ):
416+ permission_check_ok = True
417+ break
418+
385419 if not permission_check_ok :
386420 return json ({"code" :400 ,"msg" :"no permission" })
387421
@@ -409,3 +443,6 @@ def _put_one(self,key,tag):
409443 self .rdict ["code" ] = 400
410444 self .rdict ["message" ] = "fail"
411445 self .rdict [key ] = obj_dict
446+
447+ def delete (self ):
448+ return json (self .rdict )
0 commit comments