BUGFIX Prevent relations without $api_access to be shown through RestfulServer

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@78123 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Ingo Schommer 2009-05-29 01:04:40 +00:00
parent 173711531e
commit e121c2f8fd
3 changed files with 35 additions and 0 deletions

View File

@ -51,6 +51,8 @@ class JSONDataFormatter extends DataFormatter {
if($this->relationDepth > 0) {
foreach($obj->has_one() as $relName => $relClass) {
if(!singleton($relClass)->stat('api_access')) continue;
// Field filtering
if($fields && !in_array($relName, $fields)) continue;
if($this->customRelations && !in_array($relName, $this->customRelations)) continue;
@ -65,6 +67,8 @@ class JSONDataFormatter extends DataFormatter {
}
foreach($obj->has_many() as $relName => $relClass) {
if(!singleton($relClass)->stat('api_access')) continue;
// Field filtering
if($fields && !in_array($relName, $fields)) continue;
if($this->customRelations && !in_array($relName, $this->customRelations)) continue;
@ -80,6 +84,8 @@ class JSONDataFormatter extends DataFormatter {
}
foreach($obj->many_many() as $relName => $relClass) {
if(!singleton($relClass)->stat('api_access')) continue;
// Field filtering
if($fields && !in_array($relName, $fields)) continue;
if($this->customRelations && !in_array($relName, $this->customRelations)) continue;

View File

@ -59,6 +59,8 @@ class XMLDataFormatter extends DataFormatter {
if($this->relationDepth > 0) {
foreach($obj->has_one() as $relName => $relClass) {
if(!singleton($relClass)->stat('api_access')) continue;
// Field filtering
if($fields && !in_array($relName, $fields)) continue;
if($this->customRelations && !in_array($relName, $this->customRelations)) continue;
@ -73,6 +75,8 @@ class XMLDataFormatter extends DataFormatter {
}
foreach($obj->has_many() as $relName => $relClass) {
if(!singleton($relClass)->stat('api_access')) continue;
// Field filtering
if($fields && !in_array($relName, $fields)) continue;
if($this->customRelations && !in_array($relName, $this->customRelations)) continue;
@ -88,6 +92,8 @@ class XMLDataFormatter extends DataFormatter {
}
foreach($obj->many_many() as $relName => $relClass) {
if(!singleton($relClass)->stat('api_access')) continue;
// Field filtering
if($fields && !in_array($relName, $fields)) continue;
if($this->customRelations && !in_array($relName, $this->customRelations)) continue;

View File

@ -275,6 +275,16 @@ class RestfulServerTest extends SapphireTest {
);
}
public function testApiAccessRelationRestrictions() {
$author1 = $this->objFromFixture('RestfulServerTest_Author','author1');
$url = "/api/v1/RestfulServerTest_Author/" . $author1->ID;
$response = Director::test($url, null, null, 'GET');
var_dump($response->getBody());
$this->assertNotContains('<RelatedPages', $response->getBody());
$this->assertNotContains('<PublishedPages', $response->getBody());
}
public function testApiAccessWithPUT() {
$rating1 = $this->objFromFixture('RestfulServerTest_AuthorRating','rating1');
@ -377,9 +387,17 @@ class RestfulServerTest_Page extends DataObject implements TestOnly {
'Content' => 'HTMLText',
);
static $has_one = array(
'Author' => 'RestfulServerTest_Author',
);
static $has_many = array(
'TestComments' => 'RestfulServerTest_Comment'
);
static $belongs_many_many = array(
'RelatedAuthors' => 'RestfulServerTest_Author',
);
}
@ -390,8 +408,13 @@ class RestfulServerTest_Author extends DataObject implements TestOnly {
static $db = array(
'Name' => 'Text',
);
static $many_many = array(
'RelatedPages' => 'RestfulServerTest_Page',
);
static $has_many = array(
'PublishedPages' => 'RestfulServerTest_Page',
'Ratings' => 'RestfulServerTest_AuthorRating',
);