# Methods that can modify data MUST not be listed here.
use constant READ_ONLY => ();
+# Whitelist of methods that a client is allowed to access when making
+# an API call.
+use constant PUBLIC_METHODS => ();
+
sub login_exempt {
my ($class, $method) = @_;
return $class->LOGIN_EXEMPT->{$method};
search
);
+use constant PUBLIC_METHODS => qw(
+ add_attachment
+ add_comment
+ attachments
+ comments
+ create
+ fields
+ get
+ history
+ legal_values
+ possible_duplicates
+ render_comment
+ search
+ update
+ update_see_also
+ update_tags
+);
+
######################################################
# Add aliases here for old method name compatibility #
######################################################
version
);
+use constant PUBLIC_METHODS => qw(
+ extensions
+ last_audit_time
+ parameters
+ time
+ timezone
+ version
+);
+
# Logged-out users do not need to know more than that.
use constant PARAMETERS_LOGGED_OUT => qw(
maintainer
get
);
+use constant PUBLIC_METHODS => qw(
+ get
+);
+
sub get {
my ($self, $params) = validate(@_, 'names', 'ids');
use Bugzilla::Error;
use Bugzilla::WebService::Util qw(validate translate params_to_objects);
+use constant PUBLIC_METHODS => qw(
+ create
+ update
+);
+
use constant MAPPED_RETURNS => {
userregexp => 'user_regexp',
isactive => 'is_active'
get_selectable_products
);
+use constant PUBLIC_METHODS => qw(
+ create
+ get
+ get_accessible_products
+ get_enterable_products
+ get_selectable_products
+ update
+);
+
use constant MAPPED_FIELDS => {
has_unconfirmed => 'allows_unconfirmed',
is_open => 'is_active',
use HTTP::Message;
use MIME::Base64 qw(decode_base64 encode_base64);
+use List::MoreUtils qw(none);
#####################################
# Public JSON::RPC Method Overrides #
}
}
+ # Only allowed methods to be used from our whitelist
+ if (none { $_ eq $method} $pkg->PUBLIC_METHODS) {
+ ThrowUserError('unknown_method', { method => $self->bz_method_name });
+ }
+
# This is the best time to do login checks.
$self->handle_login();
}
use Bugzilla::WebService::Constants;
+use Bugzilla::Error;
+
+use List::MoreUtils qw(none);
# Allow WebService methods to call XMLRPC::Lite's type method directly
BEGIN {
my ($self, $classes, $action, $uri, $method) = @_;
my $class = $classes->{$uri};
my $full_method = $uri . "." . $method;
+ # Only allowed methods to be used from the module's whitelist
+ my $file = $class;
+ $file =~ s{::}{/}g;
+ $file .= ".pm";
+ require $file;
+ if (none { $_ eq $method } $class->PUBLIC_METHODS) {
+ ThrowCodeError('unknown_method', { method => $full_method });
+ }
$self->SUPER::handle_login($class, $method, $full_method);
return;
}
get
);
+use constant PUBLIC_METHODS => qw(
+ create
+ get
+ login
+ logout
+ offer_account_by_email
+ update
+);
+
use constant MAPPED_FIELDS => {
email => 'login',
full_name => 'name',
use base qw(Bugzilla::WebService);
use Bugzilla::Error;
+use constant PUBLIC_METHODS => qw(
+ hello
+ throw_an_error
+);
+
# This can be called as Example.hello() from the WebService.
sub hello { return 'Hello!'; }
projects / thirdparty / bugzilla.git / commitdiff
