[Checkins]
SVN: grok/branches/faassen-rest/src/grok/ftests/rest/rest.py
Some basic check to see whether we haven't totally broken security.
Martijn Faassen
faassen at infrae.com
Tue Oct 16 08:43:08 EDT 2007
Log message for revision 80891:
Some basic check to see whether we haven't totally broken security.
Changed:
U grok/branches/faassen-rest/src/grok/ftests/rest/rest.py
-=-
Modified: grok/branches/faassen-rest/src/grok/ftests/rest/rest.py
===================================================================
--- grok/branches/faassen-rest/src/grok/ftests/rest/rest.py 2007-10-16 12:29:01 UTC (rev 80890)
+++ grok/branches/faassen-rest/src/grok/ftests/rest/rest.py 2007-10-16 12:43:07 UTC (rev 80891)
@@ -207,6 +207,33 @@
<BLANKLINE>
this is the PUT body
+Opening up the publication for REST doesn't mean we can just delete
+random objects without access:
+
+ >>> print http('DELETE /app HTTP/1.1')
+ HTTP/1. 500 Internal Server Error
+ Content-Length: 127
+ Content-Type: text/html;charset=utf-8
+ <BLANKLINE>
+ <html><head><title>ForbiddenAttribute</title></head>
+ <body><h2>ForbiddenAttribute</h2>
+ A server error occurred.
+ </body></html>
+ <BLANKLINE>
+
+ >>> print http('DELETE /app/alpha HTTP/1.1')
+ HTTP/1. 500 Internal Server Error
+ Content-Length: 127
+ Content-Type: text/html;charset=utf-8
+ <BLANKLINE>
+ <html><head><title>ForbiddenAttribute</title></head>
+ <body><h2>ForbiddenAttribute</h2>
+ A server error occurred.
+ </body></html>
+ <BLANKLINE>
+
+XXX shouldn't this really give a FORBIDDEN response?
+
Todo:
* Support for OPTIONS, HEAD, other methods?
More information about the Checkins
mailing list