Don't allow users to delete objects that weren't created using the API

refs #9082
This commit is contained in:
Gunnar Beutner 2015-08-18 08:17:34 +02:00 committed by Michael Friedrich
parent d118b71a2a
commit 60a30d50f6
2 changed files with 8 additions and 2 deletions

View File

@ -61,6 +61,7 @@ bool CreateObjectHandler::HandleRequest(const ApiUser::Ptr& user, HttpRequest& r
builder->SetType(type->GetName()); builder->SetType(type->GetName());
builder->SetName(name); builder->SetName(name);
builder->SetScope(ScriptGlobal::GetGlobals()); builder->SetScope(ScriptGlobal::GetGlobals());
builder->SetModule("_api");
Array::Ptr templates = params->Get("templates"); Array::Ptr templates = params->Get("templates");

View File

@ -65,6 +65,13 @@ bool DeleteObjectHandler::HandleRequest(const ApiUser::Ptr& user, HttpRequest& r
Dictionary::Ptr result1 = new Dictionary(); Dictionary::Ptr result1 = new Dictionary();
result1->Set("type", type->GetName()); result1->Set("type", type->GetName());
result1->Set("name", obj->GetName()); result1->Set("name", obj->GetName());
results->Add(result1);
if (obj->GetModule() != "_api") {
result1->Set("code", 500);
result1->Set("status", "Object cannot be deleted because it was not created using the API.");
continue;
}
ConfigItem::Ptr item = ConfigItem::GetObject(type->GetName(), obj->GetName()); ConfigItem::Ptr item = ConfigItem::GetObject(type->GetName(), obj->GetName());
@ -82,8 +89,6 @@ bool DeleteObjectHandler::HandleRequest(const ApiUser::Ptr& user, HttpRequest& r
result1->Set("code", 500); result1->Set("code", 500);
result1->Set("status", "Object could not be deleted: " + DiagnosticInformation(ex)); result1->Set("status", "Object could not be deleted: " + DiagnosticInformation(ex));
} }
results->Add(result1);
} }
Dictionary::Ptr result = new Dictionary(); Dictionary::Ptr result = new Dictionary();