REST API: 403 on non-searchable properties

schlatterbeck · schlatterbeck · commit 0ee03e9ba138 · 2020-02-12T12:35:33.000+01:00
issue2551051: Return a 403 on non-existing or non-searchable transitive
properties when queried via REST-API (same behavior for sorting and
searching).
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -95,6 +95,9 @@ Fixed:
   template. (Christof Meerwald)
 - issue2551019 - handle character set conversions for CSV export
   action in Python 3. (Christof Meerwald)
+- issue2551051: Return a 403 on non-existing or non-searchable
+  transitive properties when queried via REST-API (same behavior for
+  sorting and searching).
 
 2019-10-23 2.0.0 alpha 0
 
diff --git a/roundup/rest.py b/roundup/rest.py
@@ -696,6 +696,10 @@ def get_collection(self, class_name, input):
                         uid, class_name, pn
                     ):
                         sort.append((ss, pn))
+                    else :
+                        raise (Unauthorised (
+                            'User does not have search permission on "%s.%s"'
+                            % (class_name, pn)))
             elif key.startswith("@"):
                 # ignore any unsupported/previously handled control key
                 # like @apiver
@@ -721,7 +725,9 @@ def get_collection(self, class_name, input):
                 if not self.db.security.hasSearchPermission(
                     uid, class_name, key
                 ):
-                    continue
+                    raise (Unauthorised (
+                        'User does not have search permission on "%s.%s"'
+                        % (class_name, key)))
 
                 linkcls = class_obj
                 for p in key.split('.'):
