Mercurial > libervia-web

diff src/server/server.py @ 745:ad733b670cc3

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
server side: fixed params, and removed self.authorized_params as authorisation is handled by the backend
author Goffi <goffi@goffi.org>
date Mon, 23 Nov 2015 12:59:28 +0100
parents 03ccd68a6dab
children 25984ca4aef2
line wrap: on
line diff
--- a/src/server/server.py	Sun Nov 22 21:28:06 2015 +0100
+++ b/src/server/server.py	Mon Nov 23 12:59:28 2015 +0100
@@ -35,7 +35,6 @@
 from sat_frontends.bridge.DBus import DBusBridgeFrontend, BridgeExceptionNoService, const_TIMEOUT as BRIDGE_TIMEOUT
 from sat.core.i18n import _, D_
 from sat.core import exceptions
-from sat.tools.xml_tools import paramsXML2XMLUI
 from sat.tools import utils
 
 import re
@@ -46,7 +45,6 @@
 import shutil
 import uuid
 from zope.interface import Interface, Attribute, implements
-from xml.dom import minidom
 from httplib import HTTPS_PORT
 import libervia
 
@@ -179,7 +177,6 @@
 
     def __init__(self, sat_host):
         JSONRPCMethodManager.__init__(self, sat_host)
-        self.authorized_params = None
 
     def render(self, request):
         self.session = request.getSession()
@@ -628,25 +625,7 @@
     def jsonrpc_getParamsUI(self):
         """Return the parameters XML for profile"""
         profile = ISATSession(self.session).profile
-        d = self.asyncBridgeCall("getParams", C.SECURITY_LIMIT, C.APP_NAME, profile)
-
-        def setAuthorizedParams(params_xml):
-            if self.authorized_params is None:
-                self.authorized_params = {}
-                for cat in minidom.parseString(params_xml.encode('utf-8')).getElementsByTagName("category"):
-                    params = cat.getElementsByTagName("param")
-                    params_list = [param.getAttribute("name") for param in params]
-                    self.authorized_params[cat.getAttribute("name")] = params_list
-            if self.authorized_params:
-                return params_xml
-            else:
-                return None
-
-        d.addCallback(setAuthorizedParams)
-
-        d.addCallback(lambda params_xml: paramsXML2XMLUI(params_xml) if params_xml else "")
-
-        return d
+        return self.asyncBridgeCall("getParamsUI", C.SECURITY_LIMIT, C.APP_NAME, profile)
 
     def jsonrpc_asyncGetParamA(self, param, category, attribute="value"):
         """Return the parameter value for profile"""
@@ -656,11 +635,7 @@
 
     def jsonrpc_setParam(self, name, value, category):
         profile = ISATSession(self.session).profile
-        if category in self.authorized_params and name in self.authorized_params[category]:
-            return self.sat_host.bridge.setParam(name, value, category, C.SECURITY_LIMIT, profile)
-        else:
-            log.warning(u"Trying to set parameter '%s' in category '%s' without authorization!!!"
-                    % (name, category))
+        return self.sat_host.bridge.setParam(name, value, category, C.SECURITY_LIMIT, profile)
 
     def jsonrpc_launchAction(self, callback_id, data):
         #FIXME: any action can be launched, this can be a huge security issue if callback_id can be guessed