Simplified Security about appengine-rest-server HOT 8 CLOSED

are thinking of just a "read-only" flag per model, or something more 
fine-grained?

good question, personally I only have value in read only.  I don't know if 
denying
updates or deletes is valuable too.  It probably would run the same codepath 
though,
so maybe it'd be worthwhile just to add in the generic support

rest.Dispatcher.add_models({"things": (models.Thing,["GET","DELETE])})

I'd love to have something like that: a list of supported operations.

Along the lines of Richard's suggestion:

* defining method types (rest.GET, rest.DELETE, rest.POST, rest.PUT)
* support for an optional 'supported methods' list, eg:
  * rest.Dispatcher.add_models({"things": (models.Thing,[rest.GET, rest.DELETE])})
  * rest.Dispatcher.add_models({"widgets": (models.Widget,[rest.GET])})
  * rest.Dispatcher.add_models({"thingamies": models.Thingamie})

I'm happy to give it a shot myself and submit it as a patch.

Just let me know where to start (I already have a copy of the latest 1.0.2 zip 
file).

This should be pretty straightforward.  every type gets associated with a 
ModelHandler.  you basically just need to store the "allowed" operations in the 
ModelHandler and check that collection in the Dispatcher.get_model_handler 
method (where that method would have an extra param indicating the intended 
operation).

Done.  I made the changes so that they were optional and will have no impact on 
existing users.

The following is now possible:

    # add specific models (with given names) and restrict the supported methods
    rest.Dispatcher.add_models({
      'foo' : (FooModel, ["GET"]),
      'bar' : (BarModel, ["GET", "POST", "PUT"],
      'cache' : (CacheModel, ["GET", "DELETE"] })

(that's from the example I added to the doc string of __init__.py)

I didn't do the check in Dispatch.get_model_handler as that would have meant 
adding special-case code for the metadata stuff.  Instead, I simply check the 
desired method is in the list of supported methods after calling 
get_model_handler.  If the method is not supported, I return error 405 Method 
Not Allowed.

I've attached the updated __init__.py.

Before I forget, I also changed some of the logging.info calls.  They weren't 
using % to construct the format strings.

so, i incorporated these changes with some slight mods.  i did put the check in 
the get_model_handler method, and i added support for a synthetic 
"GET_METADATA" method which allows controlling of retrieval of the object 
metadata.  there are also 2 list constants in the package which incorporate 
some common scenarios:

ALL_MODEL_METHODS = ["GET", "POST", "PUT", "DELETE", "GET_METADATA"]
READ_ONLY_MODEL_METHODS = ["GET", "GET_METADATA"]

That's great!  Thanks!