Files
@ abc1ada59076
Branch filter:
Location: kallithea/docs/api/models.rst - annotation
abc1ada59076
632 B
text/prs.fallenstein.rst
notifications: untangle notification access check
This removes a broken permission check when viewing notifications (the
HasRepoPermissionAny object was created, but never actually called with
a repo_name argument as required). It would be non-trivial to actually
implement the check, as notifications don't track their repository
relationship explicitly, and even then, it's unclear why it would
make sense to allow a repository admin to see notifications to
other users.
It was never a vulnerability, due to a subsequent (and much stricter)
ownership check, which remains but has been untangled for readability.
In short, this changeset is a pure refactoring, except that specifying
a non-existent notification ID will now produce error 404, not 403.
This removes a broken permission check when viewing notifications (the
HasRepoPermissionAny object was created, but never actually called with
a repo_name argument as required). It would be non-trivial to actually
implement the check, as notifications don't track their repository
relationship explicitly, and even then, it's unclear why it would
make sense to allow a repository admin to see notifications to
other users.
It was never a vulnerability, due to a subsequent (and much stricter)
ownership check, which remains but has been untangled for readability.
In short, this changeset is a pure refactoring, except that specifying
a non-existent notification ID will now produce error 404, not 403.
64a5386216c5 bb35ad076e2f 17c9393e9645 22a3fa3c4254 bb35ad076e2f bb35ad076e2f 7e5f8c12a3fc bb35ad076e2f 8b8edfc25856 7e5f8c12a3fc 9da24750f563 8b8edfc25856 7e5f8c12a3fc 8b8edfc25856 9da24750f563 7e5f8c12a3fc bb35ad076e2f 9da24750f563 7e5f8c12a3fc 8b8edfc25856 9da24750f563 7e5f8c12a3fc 8b8edfc25856 bb35ad076e2f 499c513967a1 9da24750f563 8b8edfc25856 7e5f8c12a3fc bb35ad076e2f 8b8edfc25856 7e5f8c12a3fc 8b8edfc25856 8b8edfc25856 499c513967a1 8b8edfc25856 | .. _models:
========================
The :mod:`models` module
========================
.. automodule:: kallithea.model
:members:
.. automodule:: kallithea.model.comment
:members:
.. automodule:: kallithea.model.notification
:members:
.. automodule:: kallithea.model.permission
:members:
.. automodule:: kallithea.model.repo_permission
:members:
.. automodule:: kallithea.model.repo
:members:
.. automodule:: kallithea.model.repo_group
:members:
.. automodule:: kallithea.model.scm
:members:
.. automodule:: kallithea.model.user
:members:
.. automodule:: kallithea.model.user_group
:members:
|