Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 1530261b40a9cbe77f349e4b4ddff427cf626b66^! / . / redfish-core / include / node.hpp
commit1530261b40a9cbe77f349e4b4ddff427cf626b66[log] [tgz]
authorAdrian Ambrożewicz <adrian.ambrozewicz@linux.intel.com>Thu Jul 16 11:24:47 2020 +0200
committerAdrian Ambrożewicz <adrian.ambrozewicz@linux.intel.com>Fri Jul 17 13:28:28 2020 +0200
treea604de1e9a2a44617c4eaed0b0563c1cfbba10f8
parentb41187fac9d82be2ea26bd8695f2beba135e80f1 [diff] [blame]
Make default PUT handling return 403 for unpriviledged user

Default implementation for GET, POST, PATCH and DELETE returns 403
if user does not have right to perform action on a resource.
Access right was verified even if method was not implemented
(which is good).

PUT was lacking this behavior, and returned 405 (method not allowed)
for unpriviledged user if it was not supported by resource.

This change makes PUT method behaving the same way as the other in this
scenario, making behavior of all basic REST methods consistent.

Testing:
- verified that calling PUT for unpriviledged user on resource, that
  doesn't implement it, returns 403 instead of 405

Signed-off-by: Adrian Ambrożewicz <adrian.ambrozewicz@linux.intel.com>
Change-Id: I91ffb88755093b2d5d19f073407df6ede026d720

diff --git a/redfish-core/include/node.hpp b/redfish-core/include/node.hpp
index 74d511f..d13f097 100644
--- a/redfish-core/include/node.hpp
+++ b/redfish-core/include/node.hpp

@@ -83,6 +83,15 @@
                 doPost(res, req, paramVec);
             });
 
+        crow::DynamicRule& put = app.routeDynamic(entityUrl.c_str());
+        putRule = &put;
+        put.methods(boost::beast::http::verb::put)(
+            [this](const crow::Request& req, crow::Response& res,
+                   Params... params) {
+                std::vector<std::string> paramVec = {params...};
+                doPut(res, req, paramVec);
+            });
+
         crow::DynamicRule& delete_ = app.routeDynamic(entityUrl.c_str());
         deleteRule = &delete_;
         delete_.methods(boost::beast::http::verb::delete_)(
@@ -119,6 +128,14 @@
                 patchRule->requires(it->second);
             }
         }
+        it = entityPrivileges.find(boost::beast::http::verb::put);
+        if (it != entityPrivileges.end())
+        {
+            if (putRule != nullptr)
+            {
+                putRule->requires(it->second);
+            }
+        }
         it = entityPrivileges.find(boost::beast::http::verb::delete_);
         if (it != entityPrivileges.end())
         {
@@ -136,6 +153,7 @@
     crow::DynamicRule* getRule = nullptr;
     crow::DynamicRule* postRule = nullptr;
     crow::DynamicRule* patchRule = nullptr;
+    crow::DynamicRule* putRule = nullptr;
     crow::DynamicRule* deleteRule = nullptr;
 
   protected:
@@ -161,6 +179,13 @@
         res.end();
     }
 
+    virtual void doPut(crow::Response& res, const crow::Request& req,
+                       const std::vector<std::string>& params)
+    {
+        res.result(boost::beast::http::status::method_not_allowed);
+        res.end();
+    }
+
     virtual void doDelete(crow::Response& res, const crow::Request& req,
                           const std::vector<std::string>& params)
     {