def PUT(self): if not self.hasperm("tbt"): self.status_code = 403 return {"e":1, "msg": "Permission denied."} if not "authorizer" in self.req.json: self.status_code = 400 return {"e":1, "msg": "The authorizer is required."} if not "title" in self.req.json: self.status_code = 400 return {"e":1, "msg": "Missing Title."} if not "author" in self.req.json: self.status_code = 400 return {"e":1, "msg": "Missing Author."} if not "price" in self.req.json: self.status_code = 400 return {"e":1, "msg": "Missing Price."} if not "courses" in self.req.json: self.status_code = 400 return {"e":1, "msg": "Missing Courses."} if not "seller" in self.req.json: self.status_code = 400 return {"e":1, "msg": "Missing Seller."} authorizer = self.dbs.query(Person).get(self.req.json["authorizer"]) if not authorizer: self.status_code = 400 return {"e":1, "msg": "Authorizer is not a person."} if not "tbt" in authorizer.perms: self.status_code = 403 return { "e": 1, "msg": "Authorizer is not allowed to make changes. " + "(They don't have the 'tbt' permission.)", } seller = self.dbs.query(Person).get(self.req.json["seller"]) if not seller: self.status_code = 400 return {"e":1, "msg": "Seller does not exist."} courses = [] for c in self.req.json["courses"]: if not CourseCode.valid(c): self.status_code = 400 return {"e":1, "msg":"Invalid course code '"+c+"'."} courses.append(Course(c)) b = TBTBook(seller=seller, title=self.req.json["title"], author=self.req.json["author"], price=int(float(self.req.json["price"])*100), courses=courses) if "edition" in self.req.json: b.edition = str(self.req.json["edition"]) c = TBTBookChange(book=b, desc="created\n"+repr(b), user=authorizer) self.dbs.add(b, c) self.dbs.commit() return {"e":0, "id": b.id, }
def GET(self): uq = parse_qs(self.req.query_string.decode(), keep_blank_values=True) q = self.dbs.query(TBTBook.id) if "sold" in uq: if uq["sold"][0] == "0": q = q.filter(TBTBook.buyer == None) else: q = q.filter(TBTBook.buyer != None) if "course" in uq: c = CourseCode.clean(uq["course"][0]) if len(c) == 8: p = Course.code == c else: p = db.prefixof(Course.code, c) q = q.join(Course).filter(p) if "title" in uq: words = uq["title"][0].split(" ") if len(words) > 10: # You are asking for a lot. words = words[:5] q = q.filter(*(TBTBook.title.ilike("%"+t+"%") for t in words)) if "involves" in uq: if not self.req.auth: self.status_code = 401 return {"e":1, "msg":"You must authenticate to filter by involvement."} inv = int(uq["involves"][0]) if inv != self.req.auth.user.id: self.status_code = 403 return {"e":1, "msg":"You can only search for your own involvement."} q = q.filter( (TBTBook.seller == Person(id=inv)) | (TBTBook.buyer == Person(id=inv)) ) if "paid" in uq: if not self.req.auth: self.status_code = 401 return {"e":1,"msg":"You must authenticate to filter by paid."} if not "tbt" in self.req.auth.perms: self.status_code = 403 return {"e":1, "msg":"You may not filter by paid."} paid = uq["paid"][-1] q = q.filter(TBTBook.paid == (paid != "0")) q = q.group_by(TBTBook.id) return {"e":0, "books": [r[0] for r in q], }