From 2245dee31ec7a5b6232a17b6739ce38f726f11ae Mon Sep 17 00:00:00 2001 From: "13621160019@163.com" <13621160019@163.com> Date: Thu, 18 Nov 2021 22:51:01 +0800 Subject: [PATCH] added access control to cost file --- .../costcenter/costfile.controller.js | 19 +++--- .../settings/costcenter/costfile.service.js | 38 +++++------ myems-api/MyEMS.postman_collection.json | 64 +++++++++++++++++-- myems-api/core/costfile.py | 7 +- 4 files changed, 94 insertions(+), 34 deletions(-) diff --git a/admin/app/controllers/settings/costcenter/costfile.controller.js b/admin/app/controllers/settings/costcenter/costfile.controller.js index a9070369..12e3811f 100644 --- a/admin/app/controllers/settings/costcenter/costfile.controller.js +++ b/admin/app/controllers/settings/costcenter/costfile.controller.js @@ -1,18 +1,19 @@ 'use strict'; app.controller('CostFileController', function ( - $scope, + $scope, $window, - $translate, - $interval, - CostFileService, - toaster, + $translate, + $interval, + CostFileService, + toaster, SweetAlert) { $scope.cur_user = JSON.parse($window.localStorage.getItem("myems_admin_ui_current_user")); $scope.getAllCostFiles = function () { - CostFileService.getAllCostFiles(function (response) { + let headers = { "User-UUID": $scope.cur_user.uuid, "Token": $scope.cur_user.token }; + CostFileService.getAllCostFiles(headers, function (response) { if (angular.isDefined(response.status) && response.status === 200) { $scope.costfiles = response.data; } else { @@ -53,7 +54,8 @@ app.controller('CostFileController', function ( }; $scope.restoreCostFile = function (costfile) { - CostFileService.restoreCostFile(costfile, function (response) { + let headers = { "User-UUID": $scope.cur_user.uuid, "Token": $scope.cur_user.token }; + CostFileService.restoreCostFile(costfile, headers, function (response) { if (angular.isDefined(response.status) && response.status === 200) { toaster.pop({ type: "success", @@ -87,7 +89,8 @@ app.controller('CostFileController', function ( }, function (isConfirm) { if (isConfirm) { - CostFileService.deleteCostFile(costfile, function (response) { + let headers = { "User-UUID": $scope.cur_user.uuid, "Token": $scope.cur_user.token }; + CostFileService.deleteCostFile(costfile, headers, function (response) { if (angular.isDefined(response.status) && response.status === 204) { toaster.pop({ type: "success", diff --git a/admin/app/services/settings/costcenter/costfile.service.js b/admin/app/services/settings/costcenter/costfile.service.js index 05c7c5ae..aab82f44 100644 --- a/admin/app/services/settings/costcenter/costfile.service.js +++ b/admin/app/services/settings/costcenter/costfile.service.js @@ -1,38 +1,38 @@ 'use strict'; -app.factory('CostFileService', function($http) { - return { - getAllCostFiles:function(callback){ - $http.get(getAPI()+'costfiles') +app.factory('CostFileService', function($http) { + return { + getAllCostFiles:function(headers, callback){ + $http.get(getAPI()+'costfiles', {headers}) .then(function (response) { callback(response); }, function (response) { callback(response); }); }, - - addCostFile: function(costfile, callback) { - $http.post(getAPI()+'costfiles',{data:costfile}) - .then(function (response) { - callback(response); - }, function (response) { - callback(response); - }); - }, - restoreCostFile: function (costfile, callback) { - $http.get(getAPI() + 'costfiles/' + costfile.id + '/restore') + + addCostFile: function(costfile, headers, callback) { + $http.post(getAPI()+'costfiles', {data:costfile}, {headers}) .then(function (response) { callback(response); }, function (response) { callback(response); }); }, - deleteCostFile: function(costfile, callback) { - $http.delete(getAPI()+'costfiles/'+costfile.id) + restoreCostFile: function (costfile, headers, callback) { + $http.get(getAPI() + 'costfiles/' + costfile.id + '/restore', {headers}) .then(function (response) { callback(response); }, function (response) { callback(response); - }); + }); + }, + deleteCostFile: function(costfile, headers, callback) { + $http.delete(getAPI()+'costfiles/' + costfile.id, {headers}) + .then(function (response) { + callback(response); + }, function (response) { + callback(response); + }); } }; -}); \ No newline at end of file +}); \ No newline at end of file diff --git a/myems-api/MyEMS.postman_collection.json b/myems-api/MyEMS.postman_collection.json index 6711bc7a..84f8347f 100644 --- a/myems-api/MyEMS.postman_collection.json +++ b/myems-api/MyEMS.postman_collection.json @@ -853,7 +853,20 @@ "name": "GET All Cost Files", "request": { "method": "GET", - "header": [], + "header": [ + { + "key": "User-UUID", + "value": "dcdb67d1-6116-4987-916f-6fc6cf2bc0e4", + "description": "Any admin users' UUID", + "type": "text" + }, + { + "key": "Token", + "value": "6ab593bb7e48f22da551572b444b2095b02f7fd717681215c16866b18846c9e0c7c9a10b612d26e262d2100223197a3804daec0ace179623dcb3d3e0a3213dbe", + "description": "Login to get a valid token", + "type": "text" + } + ], "url": { "raw": "{{base_url}}/costfiles", "host": [ @@ -870,7 +883,20 @@ "name": "GET a Cost File by ID", "request": { "method": "GET", - "header": [], + "header": [ + { + "key": "User-UUID", + "value": "dcdb67d1-6116-4987-916f-6fc6cf2bc0e4", + "description": "Any admin users' UUID", + "type": "text" + }, + { + "key": "Token", + "value": "6ab593bb7e48f22da551572b444b2095b02f7fd717681215c16866b18846c9e0c7c9a10b612d26e262d2100223197a3804daec0ace179623dcb3d3e0a3213dbe", + "description": "Login to get a valid token", + "type": "text" + } + ], "url": { "raw": "{{base_url}}/costfiles/1", "host": [ @@ -926,7 +952,20 @@ "name": "DELETE a Cost File by ID", "request": { "method": "DELETE", - "header": [], + "header": [ + { + "key": "User-UUID", + "value": "dcdb67d1-6116-4987-916f-6fc6cf2bc0e4", + "description": "Any admin users' UUID", + "type": "text" + }, + { + "key": "Token", + "value": "6ab593bb7e48f22da551572b444b2095b02f7fd717681215c16866b18846c9e0c7c9a10b612d26e262d2100223197a3804daec0ace179623dcb3d3e0a3213dbe", + "description": "Login to get a valid token", + "type": "text" + } + ], "url": { "raw": "{{base_url}}/costfiles/1", "host": [ @@ -944,15 +983,28 @@ "name": "Rstore a Cost File by ID", "request": { "method": "GET", - "header": [], + "header": [ + { + "key": "User-UUID", + "value": "dcdb67d1-6116-4987-916f-6fc6cf2bc0e4", + "description": "Any admin users' UUID", + "type": "text" + }, + { + "key": "Token", + "value": "6ab593bb7e48f22da551572b444b2095b02f7fd717681215c16866b18846c9e0c7c9a10b612d26e262d2100223197a3804daec0ace179623dcb3d3e0a3213dbe", + "description": "Login to get a valid token", + "type": "text" + } + ], "url": { - "raw": "{{base_url}}/costfiles/1/restore", + "raw": "{{base_url}}/costfiles/20/restore", "host": [ "{{base_url}}" ], "path": [ "costfiles", - "1", + "20", "restore" ] } diff --git a/myems-api/core/costfile.py b/myems-api/core/costfile.py index 366dd923..24b11487 100644 --- a/myems-api/core/costfile.py +++ b/myems-api/core/costfile.py @@ -5,7 +5,7 @@ import config import uuid from datetime import datetime, timezone, timedelta import os -from core.useractivity import user_logger +from core.useractivity import user_logger, access_control class CostFileCollection: @@ -20,6 +20,7 @@ class CostFileCollection: @staticmethod def on_get(req, resp): + access_control(req) cnx = mysql.connector.connect(**config.myems_historical_db) cursor = cnx.cursor() @@ -52,6 +53,7 @@ class CostFileCollection: @user_logger def on_post(req, resp): """Handles POST requests""" + access_control(req) try: upload = req.get_param('file') # Read upload file as binary @@ -157,6 +159,7 @@ class CostFileItem: @staticmethod def on_get(req, resp, id_): + access_control(req) if not id_.isdigit() or int(id_) <= 0: raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST', @@ -191,6 +194,7 @@ class CostFileItem: @staticmethod @user_logger def on_delete(req, resp, id_): + access_control(req) if not id_.isdigit() or int(id_) <= 0: raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST', description='API.INVALID_COST_FILE_ID') @@ -241,6 +245,7 @@ class CostFileRestore: @staticmethod def on_get(req, resp, id_): + access_control(req) if not id_.isdigit() or int(id_) <= 0: raise falcon.HTTPError(falcon.HTTP_400, title='API.BAD_REQUEST', description='API.INVALID_COST_FILE_ID')