update TODO

2026-01-09 23:12:08 -03:30 · 2013-04-19 11:15:02 -04:00 · 2013-04-19 11:15:02 -04:00 · 4cd7405a37
commit 4cd7405a37
parent 761354067f
3 changed files with 7 additions and 0 deletions
--- a/TODO.md
+++ b/TODO.md
@ -46,6 +46,9 @@ directory.  Project directories must be unique and be (also no ../, etc).  defau
 * permissions on launching a job should be same as creating a job template
 * should be able to access permissions as subcollection off of users or teams (no need for permissions tab)
 * make sure all can_user_add/edit methods ensure ownership/access on subobjects
+* project should have a method to list valid YAML files and not require default playbook
+* do not allow ../ in paths (etc)
+* should be able to specify in a launch job a limit string, combine with shell=False when using subprocess

 QUESTIONS
 ---------
--- a/lib/main/base_views.py
+++ b/lib/main/base_views.py
@ -45,6 +45,7 @@ class BaseList(generics.ListCreateAPIView):
                      raise PermissionDenied()
                  return True
             else:
+                  # audit all of these to check ownership/readability of subobjects
                  if not self.__class__.model.can_user_add(request.user, self.request.DATA):
                      raise PermissionDenied()
                  return True
@ -236,8 +237,10 @@ class BaseDetail(generics.RetrieveUpdateDestroyAPIView):
                return self.__class__.model.can_user_read(request.user, obj)
        elif request.method in [ 'PUT' ]:
            if type(obj) == User:
+                # FIXME: pass request.DATA to all of these and verify permissions on subobjects
                return UserHelper.can_user_administrate(request.user, obj)
            else:
+                # FIXME: pass request.DATA to all of these and verify permission on subobjects
                return self.__class__.model.can_user_administrate(request.user, obj)
        return False

--- a/lib/main/serializers.py
+++ b/lib/main/serializers.py
@ -154,6 +154,7 @@ class CredentialSerializer(BaseSerializer):

    def validate(self, attrs):
        ''' some fields cannot be changed once written '''
+        import epdb; epdb.st()
        if self.object is not None:
            # this is an update
            if self.object.user != attrs['user']: