Merge REST API changes

Author: schlatterbeck

CHANGES.txt

@@ -31,6 +31,13 @@ Features:
 - Support for Python 3 (3.4 and later).  See doc/upgrading.txt for
   details of what is required to move an existing tracker from Python
   2 to Python 3 (Joseph Myers, Christof Meerwald)
+- Merge the Google Summer of Code Project of 2015, the implementation of
+  a REST-API for Roundup. This was implemented by Chau Nguyen under the
+  supervision of Ezio Melotti. Some additions were made, most notably we
+  never destroy an object in the database but retire them with the
+  DELETE method. We also don't allow to DELETE a whole class. Python3
+  support was also fixed and we have cherry-picked two patches from the
+  bugs.python.org branch in the files affected by the REST-API changes.
 
 Fixed:
 

doc/acknowledgements.txt

@@ -204,6 +204,7 @@ John Mitchell,
 Ramiro Morales,
 Toni Mueller,
 Joseph Myers,
+Chau Nguyen,
 Stefan Niederhauser,
 Truls E. Næss,
 Bryce L Nordgren,

roundup/actions.py

@@ -2,6 +2,7 @@
 # Copyright (C) 2009 Stefan Seefeld
 # All rights reserved.
 # For license terms see the file COPYING.txt.
+# Actions used in REST and XMLRPC APIs
 #
 
 from roundup.exceptions import Unauthorised
@@ -40,7 +41,19 @@ def gettext(self, msgid):
     _ = gettext
 
 
-class Retire(Action):
+class PermCheck(Action):
+    def permission(self, designator):
+
+        classname, itemid = hyperdb.splitDesignator(designator)
+        perm = self.db.security.hasPermission
+
+        if not perm('Retire', self.db.getuid(), classname=classname
+                   , itemid=itemid):
+            raise Unauthorised(self._('You do not have permission to retire '
+                                      'or restore the %(classname)s class.')
+                                      %locals())
+
+class Retire(PermCheck):
 
     def handle(self, designator):
 
@@ -57,12 +70,13 @@ def handle(self, designator):
         self.db.commit()
 
 
-    def permission(self, designator):
+class Restore(PermCheck):
+
+    def handle(self, designator):
 
         classname, itemid = hyperdb.splitDesignator(designator)
 
-        if not self.db.security.hasPermission('Edit', self.db.getuid(),
-                                              classname=classname, itemid=itemid):
-            raise Unauthorised(self._('You do not have permission to '
-                                      'retire the %(classname)s class.')%classname)
-            
+        # do the restore
+        self.db.getclass(classname).restore(itemid)
+        self.db.commit()
+

roundup/cgi/client.py

@@ -35,6 +35,7 @@ class SysCallError(Exception):
 from roundup.mailer import Mailer, MessageSendError
 from roundup.cgi import accept_language
 from roundup import xmlrpc
+from roundup import rest
 
 from roundup.anypy.cookie_ import CookieError, BaseCookie, SimpleCookie, \
     get_cookie_date
@@ -363,6 +364,10 @@ def __init__(self, instance, request, env, form=None, translator=None):
         # see if we need to re-parse the environment for the form (eg Zope)
         if form is None:
             self.form = cgi.FieldStorage(fp=request.rfile, environ=env)
+            # In some case (e.g. content-type application/xml), cgi
+            # will not parse anything. Fake a list property in this case
+            if self.form.list is None:
+                self.form.list = []
         else:
             self.form = form
 
@@ -421,9 +426,14 @@ def setTranslator(self, translator=None):
     def main(self):
         """ Wrap the real main in a try/finally so we always close off the db.
         """
+        xmlrpc_enabled = self.instance.config.WEB_ENABLE_XMLRPC
+        rest_enabled   = self.instance.config.WEB_ENABLE_REST
         try:
-            if self.path == 'xmlrpc':
+            if xmlrpc_enabled and self.path == 'xmlrpc':
                 self.handle_xmlrpc()
+            elif rest_enabled and (self.path == 'rest' or
+                                   self.path[:5] == 'rest/'):
+                self.handle_rest()
             else:
                 self.inner_main()
         finally:
@@ -480,6 +490,24 @@ def handle_xmlrpc(self):
         self.setHeader("Content-Length", str(len(output)))
         self.write(output)
 
+    def handle_rest(self):
+        # Set the charset and language
+        self.determine_charset()
+        self.determine_language()
+        # Open the database as the correct user.
+        # TODO: add everything to RestfulDispatcher
+        self.determine_user()
+        self.check_anonymous_access()
+
+        # Call rest library to handle the request
+        handler = rest.RestfulInstance(self, self.db)
+        output = handler.dispatch(self.env['REQUEST_METHOD'], self.path,
+                                  self.form)
+
+        # self.setHeader("Content-Type", "text/xml")
+        self.setHeader("Content-Length", str(len(output)))
+        self.write(output)
+
     def add_ok_message(self, msg, escape=True):
         add_message(self._ok_message, msg, escape)
 
@@ -1347,6 +1375,10 @@ def determine_context(self, dre=re.compile(r'([^\d]+)0*(\d+)')):
                 klass = self.db.getclass(self.classname)
             except KeyError:
                 raise NotFound('%s/%s'%(self.classname, self.nodeid))
+            if int(self.nodeid) > 2**31:
+                # Postgres will complain with a ProgrammingError
+                # if we try to pass in numbers that are too large
+                raise NotFound('%s/%s'%(self.classname, self.nodeid))
             if not klass.hasnode(self.nodeid):
                 raise NotFound('%s/%s'%(self.classname, self.nodeid))
             # with a designator, we default to item view

roundup/configuration.py

@@ -727,6 +727,18 @@ def str2value(self, value):
 are logged into roundup and open a roundup link
 from a source other than roundup (e.g. link in
 email)."""),
+        (BooleanOption, 'enable_xmlrpc', "yes",
+            """Whether to enable the XMLRPC API in the roundup web
+interface. By default the XMLRPC endpoint is the string 'xmlrpc'
+after the roundup web url configured in the 'tracker' section.
+If this variable is set to 'no', the xmlrpc path has no special meaning
+and will yield an error message."""),
+        (BooleanOption, 'enable_rest', "yes",
+            """Whether to enable the REST API in the roundup web
+interface. By default the REST endpoint is the string 'rest' plus any
+additional REST-API parameters after the roundup web url configured in
+the tracker section. If this variable is set to 'no', the rest path has
+no special meaning and will yield an error message."""),
         (CsrfSettingOption, 'csrf_enforce_token', "yes",
             """How do we deal with @csrf fields in posted forms.
 Set this to 'required' to block the post and notify