amiv-eth / amivapi Goto Github PK

Implement rights to access GET, PUT, PATCH and DELETE for all ressources

This should check at least:

• Can a user login(receives a token and it is correctly added to database)
• Do all kinds of passwords work as intended(unicode, chinese weird characters, shellcodes)
• Does a user get admin access (g.resource_admin_access) correctly based on his permissions and the requested resource(or because he is root)
• Is the correct user logged in (g.logged_in_user)
• Can a user change his password with PATCH
• Can a newly created user log in(does his password hash correctly?)
• Is the _author field correctly set for all items
• Does a GET request by an owner return the correct dataset
• Does a GET request by an owner return the correct dataset for an indirect owner(via relationship)
• Does a POST request by a future owner work
• Does a POST request by an indirect owner work

When the root and anonymous user are created they are created by insert statements which don't update metadata fields. This would be nice to have to be able to send requests to that item.

There should be a possibility to revert actions as DELETE and PATCH when they change information which may have taken a lot of work to do. This could be achived by archiving stuff or by versioning. Discussion?

Changes to the forwards resource should propagate into the filesystem, where they are read by the mailserver. For every forward there should be a file ~/.forward+<address_to_forward>, which contains one address per line and can have comments prepended with '#'.
For example the list "[email protected]" with the addresses "[email protected]" and "[email protected]" should have a file ~/.forward+helfer with the contents:

# Maintained by amivapi, changes are overwritten

[email protected]
[email protected]

Implement functionality to import users from LDAP and to update account information.

• only admins can change more than RFID
• “extraordinary members” can change their stuff
• you can set your own password

All requests should be logged including their query strings(except passwords). This should vastly improve bug detection.

Yes we scan.

A unittest should only test its own set of operation and not rely on necessary steps such as user creation before that, which could also fail. Therefore it should start with an already filled database. This hopefully makes it easier to see which part exactly is the problem.

Sort an clean all functions necessary to configure the api.

One single setup would be optimal.

It should be possible to get what roles exist and which permissions they grant via the API to display those informations to a user, when he is performing administrative tasks.

Different resources should need different whitelistists, e.g.

Joboffers:
logos: png, jpeg, ...
pdf: pdf (Duh.)

There should be a simple baseclass, which unittests can use, when they should not require authentification.

One might want to signup for an event which is already full, in case somebody cancels his/her signup.

The function in download.py will send a file from directory when the correct URL is accessed.

Currently, no authentification is necessary for this, I don't know how to implement it properly.

I don't know where to create the folder. Ideas?

Describe how the file interface can be used in the User Guide.
Also describe implementation details in the Developer Guide.

Associate files with studydocuments and update the association on changes to the studydocument. Remove the file when it is not needed anymore.

It is possible to create the file resource without sending a file, but this will break all GET requests that try to access the resource.

What needs to be done

• file is required to create /files item!
• fix mediastorage anyway so it doesn't break

• groupwork presentation
• images (random hacking shell images)

There should be a feature, that accounts are updated from LDAP at regular intervalls. This needs a mechanism to schedule task to run at a regular interval(cron interface).

• Document /permissions resource
• Document permission system (root account, role based admin system, affected_user and owner system)

The API should send a version string, which can be used to provide backwards compatibility when the API is changed.

When deleting anything which is referenced by a ForeignKey which can not be nulled, 400 will be returned. We need hooks which handle this before the action is performed.
Same problem for puts.

Make it possible to upload files to the /files resource, retrive the metainfo or the content

Implement to reroute the login to LDAP and when credentials match there login the user without local password check.

signup with user_id:-1 returns error 422 even if it is a public event and i provide an valid email-address

don't return password-fields in any case for anyone

A documentation of all resources with their methods, their fields and the possible value ranges should be available.

• Create a tutorial how to login and send the token to authorize requests.
• Write API documentation of /sessions resource
• Document token, password hash method, security details

Log all exceptions with relevant information to fix bugs. The log should be informative enough to reproduce the situation where it occured.

Describe in the Developer Guide what files we have and where to start to understand the code.

Need to implement a correct mapping between different resources

• GET requests on e.g. /users should show groups
• POST/PUT on e.g. /groupmemberships should make a new mapping between an user and a group
• POST/PUT on /users doesn't assign any relationships
• DELETE on a user should also delete all relationships

• Many Pictures
• Such Image
• Very Graphic
• No Text

The 'with' block in utils.parse_data() closes any files sent before they reach the point at which they are written to the disk.

This causes an I/O error.

Should include somehow:

• What is REST
• How to send requests
• Response format(meta fields)
• Pagination
• Where clauses
• etag

Advanced:

• Bulk insert
• Projection

There is no parsing of arguments for logins yet

Regarding or master students and general API viability, I would like to implement support for english and german.

This is a minor change in the model - does anything speak against it?

Only callbacks for POST and PATCH are registered to call the check_ functions in event_hooks.py

Currently everybody can join any forward. There should be restricted forwards, which only owners or admins can add people to.

prices are stored as string because sqlalchemy does not support decimal-objects
Therefore they need to be validated by a schema

The app will run on MySQL in production, so add support for it. Since we are already using SQLAlchemy for the data layer, adding MySQL support is as simple as switching the SQLALCHEMY_DATABASE_URI setting to a MySQL URI. The real issue is to support multiple instances running seperated from each other on the same database, e.g. when running the test suite on the developer machine (or even multiple test suites in parallel).

In short: Make sure the tests create their own (preferably random) database "on-the-fly".

The unit test should check whether the manage.py script correctly initializes config files and the database.