Hi Rahul I haven't done much at all with the rest api. But I would have assumed that you would need to decorate it with @requires to control who can access what. I can't see that in your code.
On Tue, 25 Aug 2020, 3:06 am Rahul, <[email protected]> wrote: > Hi All, > Not sure if this is the right thread to put this up -- > I was trying to use this code for rest/json -- however -- with slight > changes and wrong parameters in the URL my entire table got exposed -- Here > is the code -- > > *CONTROLLER : DEFAULT.PY CODE* > > ## API --- > @request.restful() > def api(): > > response.view = 'generic.'+request.extension > > def GET(*args,**vars): > patterns = 'auto' > parser = db.parse_as_rest(patterns,args,vars) > if parser.status == 200: > return dict(content=parser.response) > else: > raise HTTP(parser.status,parser.error) > > def POST(table_name,**vars): > return db[table_name].validate_and_insert(**vars) > > def PUT(table_name,record_id,**vars): > return db(db[table_name]._id==record_id).update(**vars) > > def DELETE(table_name,record_id): > return db(db[table_name]._id==record_id).delete() > > return dict(GET=GET, POST=POST, PUT=PUT, DELETE=DELETE) > > When some adds the url like this in the browser -- > http://127.0.0.1:8000/artpic/default/api/mblog?id=%221%22&id=%222%22 ( > http://127.0.0.1:8000/artpic/default/api/mblog?id="1"&id="2"; ) it poses > a huge risk as all the data in the table is exposed. All tables are exposed > and even username and password from my tables get exposed and easily > accessible > > This works properly -- but above url exposes a huge security risk -- > http://127.0.0.1:8000/artpic/default/api/mblog/id/37.json > > Am I doing this properly ?? Is there something I am missing -- The above > code in controller is the only code I am using -- Please see the image > attached -- It looks like a huge security risk. > > Regards, > > *Rahul* > > On Friday, June 22, 2012 at 7:55:19 PM UTC+5:30 Massimo Di Pierro wrote: > >> wow. done that. >> >> On Thursday, 21 June 2012 18:04:04 UTC-5, Anthony wrote: >>> >>> Using my new Google Groups super powers >>> <https://groups.google.com/d/msg/web2py/trtS-S-4exs/aTLXn1yESboJ>, I >>> have edited your original post, so if you'd like, you can delete this >>> correction and we can pretend this never happened. ;-) >>> >>> Anthony >>> >>> On Thursday, June 21, 2012 6:40:37 PM UTC-4, Massimo Di Pierro wrote: >>>> >>>> Silly me. This >>>> >>>> def PUT(table_name,record_id): >>>> >>>> return db(db[table_name]._id==record_id).delete() >>>> >>>> >>>> was supposed to be >>>> >>>> >>>> def DELETE(table_name,record_id): >>>> >>>> return db(db[table_name]._id==record_id).delete() >>>> >>>> >>>> On Thursday, 21 June 2012 13:38:01 UTC-5, Derek wrote: >>>>> >>>>> Looks like you have Get, Post, and PUT and PUT. Where's Delete? >>>>> >>>>> On Wednesday, June 20, 2012 4:39:33 PM UTC-7, Massimo Di Pierro wrote: >>>>>> >>>>>> You can do >>>>>> >>>>>> @request.restful() >>>>>> def api(): >>>>>> response.view = 'generic.'+request.extension >>>>>> def GET(*args,**vars): >>>>>> patterns = 'auto' >>>>>> parser = db.parse_as_rest(patterns,args,vars) >>>>>> if parser.status == 200: >>>>>> return dict(content=parser.response) >>>>>> else: >>>>>> raise HTTP(parser.status,parser.error) >>>>>> def POST(table_name,**vars): >>>>>> return db[table_name].validate_and_insert(**vars) >>>>>> >>>>>> def PUT(table_name,record_id,**vars): >>>>>> >>>>>> return db(db[table_name]._id==record_id).update(**vars) >>>>>> >>>>>> def PUT(table_name,record_id): >>>>>> >>>>>> return db(db[table_name]._id==record_id).delete() >>>>>> >>>>>> return locals() >>>>>> >>>>>> >>>>>> On Wednesday, 20 June 2012 11:30:26 UTC-5, Osama Hussain wrote: >>>>>>> >>>>>>> Using the following code web2py generated all possible patterns for >>>>>>> all my tables for GET and POST methods: >>>>>>> >>>>>>> @request.restful() >>>>>>> def api(): >>>>>>> response.view = 'generic.'+request.extension >>>>>>> def GET(*args,**vars): >>>>>>> patterns = 'auto' >>>>>>> parser = db.parse_as_rest(patterns,args,vars) >>>>>>> if parser.status == 200: >>>>>>> return dict(content=parser.response) >>>>>>> else: >>>>>>> raise HTTP(parser.status,parser.error) >>>>>>> def POST(table_name,**vars): >>>>>>> return db[table_name].validate_and_insert(**vars) >>>>>>> return locals() >>>>>>> >>>>>>> >>>>>>> Is it possible to have patterns generated for PUT and DELETE methods? >>>>>>> >>>>>>> -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/web2py/eb1325a1-ee80-4054-a9f4-9a13e4b5ba8bn%40googlegroups.com > <https://groups.google.com/d/msgid/web2py/eb1325a1-ee80-4054-a9f4-9a13e4b5ba8bn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/CACWMBMMXvs-uignvvwgFLJT%2BnsYjNNXv7jcOhFgATW7zqQ0yOw%40mail.gmail.com.
