version 20200709.2, restapi masks passwords

KellerKev · Jul 10, 2020 · 168c172 · 168c172
1 parent 61c14cb
commit 168c172
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/pydal/__init__.py b/pydal/__init__.py
@@ -1,4 +1,4 @@
-__version__ = "20200709.1"
+__version__ = "20200709.2"
 
 from .base import DAL
 from .objects import Field

diff --git a/pydal/restapi.py b/pydal/restapi.py
@@ -433,10 +433,17 @@ def filter_fieldnames(table, fieldnames):
             queries.append(table)
 
         query = functools.reduce(lambda a, b: a & b, queries)
-        tfields = [table[tfieldname] for tfieldname in tfieldnames]
+        tfields = [table[tfieldname] for tfieldname in tfieldnames if
+                   table[tfieldname].type != 'password']
+        passwords = [tfieldname for tfieldname in tfieldnames if
+                     table[tfieldname].type == 'password']
         rows = db(query).select(
             *tfields, limitby=(offset, limit + offset), orderby=orderby
         )
+        if passwords:
+            dpass = {password: '******' for password in passwords}
+            for row in rows:
+                row.update(dpass)
 
         lookup_map = {}
         for key in list(lookup.keys()):
@@ -455,7 +462,8 @@ def filter_fieldnames(table, fieldnames):
                 tfieldnames = filter_fieldnames(ref_table, tfieldnames)
                 check_table_lookup_permission(ref_tablename)
                 ids = [row[key] for row in rows]
-                tfields = [ref_table[tfieldname] for tfieldname in tfieldnames]
+                tfields = [ref_table[tfieldname] for tfieldname in tfieldnames if
+                           ref_table[tfieldname].type == 'password']
                 if not "id" in tfieldnames:
                     tfields.append(ref_table["id"])
                 drows = db(ref_table._id.belongs(ids)).select(*tfields).as_dict()