more strict check to tag_POST; support DISALLOW in apijson_put

zhangchunlin · zhangchunlin · commit 8eeafbbbf351 · 2019-05-07T17:26:37.000+08:00
diff --git a/uliweb_apijson/apijson/views.py b/uliweb_apijson/apijson/views.py
@@ -373,6 +373,8 @@ def _post_one(self,key,tag):
         if not request_tag_config:
             return json({"code":400,"msg":"tag '%s' not found"%(tag)})
         tag_POST =  request_tag_config.get("POST",{})
+        if not tag_POST:
+            return json({"code":400,"msg":"tag '%s' not support apijson_post"%(tag)})
         ADD = tag_POST.get("ADD")
         if ADD:
             ADD_role = ADD.get("@role")
@@ -501,9 +503,9 @@ def _put_one(self,key,tag):
             return json({"code":400,"msg":"cannot find record id '%s'"%(id_)})
 
         permission_check_ok = False
-        PUT = model_setting.get("PUT")
-        if PUT:
-            roles = PUT.get("roles")
+        model_PUT = model_setting.get("PUT")
+        if model_PUT:
+            roles = model_PUT.get("roles")
             if params_role:
                 if not params_role in roles:
                     return json({"code":400,"msg":"'%s' not accessible by role '%s'"%(modelname,params_role)})
@@ -529,6 +531,13 @@ def _put_one(self,key,tag):
         if not permission_check_ok:
             return json({"code":400,"msg":"no permission"})
 
+        DISALLOW = tag_PUT.get("DISALLOW")
+        if DISALLOW:
+            for field in DISALLOW:
+                if field in params:
+                    log.error("request '%s' disallow '%s'"%(tag,field))
+                    return json({"code":400,"msg":"request '%s' disallow '%s'"%(tag,field)})
+
         kwargs = {}
         for k in params:
             if k=="id":
