(func, args="")
| 28 | @route("/api/:func:args#[a-zA-Z0-9\-_/\"'\[\]%{}]*#") |
| 29 | @route("/api/:func:args#[a-zA-Z0-9\-_/\"'\[\]%{}]*#", method="POST") |
| 30 | def call_api(func, args=""): |
| 31 | response.headers.replace("Content-type", "application/json") |
| 32 | response.headers.append("Cache-Control", "no-cache, must-revalidate") |
| 33 | |
| 34 | if 'u' in request.POST and 'p' in request.POST: |
| 35 | info = PYLOAD.checkAuth(request.POST['u'], request.POST['p']) |
| 36 | if info: |
| 37 | if not PYLOAD.isAuthorized(func, {"role": info["role"], "permission": info["permission"]}): |
| 38 | return HTTPError(401, json.dumps("Unauthorized")) |
| 39 | |
| 40 | else: |
| 41 | return HTTPError(403, json.dumps("Forbidden")) |
| 42 | |
| 43 | else: |
| 44 | s = request.environ.get('beaker.session') |
| 45 | if 'session' in request.POST: |
| 46 | s = s.get_by_id(request.POST['session']) |
| 47 | |
| 48 | if not s or not s.get("authenticated", False): |
| 49 | return HTTPError(403, json.dumps("Forbidden")) |
| 50 | |
| 51 | if not PYLOAD.isAuthorized(func, {"role": s["role"], "permission": s["perms"]}): |
| 52 | return HTTPError(401, json.dumps("Unauthorized")) |
| 53 | |
| 54 | args = args.split("/")[1:] |
| 55 | kwargs = {} |
| 56 | |
| 57 | for x, y in chain(request.GET.iteritems(), request.POST.iteritems()): |
| 58 | if x in ("u", "p", "session"): continue |
| 59 | kwargs[x] = unquote(y) |
| 60 | |
| 61 | try: |
| 62 | return callApi(func, *args, **kwargs) |
| 63 | except Exception, e: |
| 64 | print_exc() |
| 65 | return HTTPError(500, json.dumps({"error": e.message, "traceback": format_exc()})) |
| 66 | |
| 67 | |
| 68 | def callApi(func, *args, **kwargs): |
nothing calls this directly
no test coverage detected