@@ -373,6 +373,8 @@ def _post_one(self,key,tag):
373373 if not request_tag_config :
374374 return json ({"code" :400 ,"msg" :"tag '%s' not found" % (tag )})
375375 tag_POST = request_tag_config .get ("POST" ,{})
376+ if not tag_POST :
377+ return json ({"code" :400 ,"msg" :"tag '%s' not support apijson_post" % (tag )})
376378 ADD = tag_POST .get ("ADD" )
377379 if ADD :
378380 ADD_role = ADD .get ("@role" )
@@ -501,9 +503,9 @@ def _put_one(self,key,tag):
501503 return json ({"code" :400 ,"msg" :"cannot find record id '%s'" % (id_ )})
502504
503505 permission_check_ok = False
504- PUT = model_setting .get ("PUT" )
505- if PUT :
506- roles = PUT .get ("roles" )
506+ model_PUT = model_setting .get ("PUT" )
507+ if model_PUT :
508+ roles = model_PUT .get ("roles" )
507509 if params_role :
508510 if not params_role in roles :
509511 return json ({"code" :400 ,"msg" :"'%s' not accessible by role '%s'" % (modelname ,params_role )})
@@ -529,6 +531,13 @@ def _put_one(self,key,tag):
529531 if not permission_check_ok :
530532 return json ({"code" :400 ,"msg" :"no permission" })
531533
534+ DISALLOW = tag_PUT .get ("DISALLOW" )
535+ if DISALLOW :
536+ for field in DISALLOW :
537+ if field in params :
538+ log .error ("request '%s' disallow '%s'" % (tag ,field ))
539+ return json ({"code" :400 ,"msg" :"request '%s' disallow '%s'" % (tag ,field )})
540+ 532541 kwargs = {}
533542 for k in params :
534543 if k == "id" :
0 commit comments