# HG changeset patch # User Thomas De Schampheleire # Date 2018-05-20 22:29:40 # Node ID 40fea9b37a3254da7ec32ae04044a70cacbf775b # Parent d612fd65356256a6319cf2fc7d04db3d02da4ab3 admin: hooks: prevent editing of builtin hooks (issue #226) Builtin hooks are supposed to be read-only, but it was still possible to 'add' a new hook with the same name as an existing built-in one, changing its value. diff --git a/kallithea/controllers/admin/settings.py b/kallithea/controllers/admin/settings.py --- a/kallithea/controllers/admin/settings.py +++ b/kallithea/controllers/admin/settings.py @@ -353,6 +353,8 @@ class SettingsController(BaseController) ui_key = ui_key and ui_key.strip() if ui_key in (x.ui_key for x in Ui.get_custom_hooks()): h.flash(_('Hook already exists'), category='error') + elif ui_key in (x.ui_key for x in Ui.get_builtin_hooks()): + h.flash(_('Builtin hooks are read-only. Please use another hook name.'), category='error') elif ui_value and ui_key: Ui.create_or_update_hook(ui_key, ui_value) h.flash(_('Added new hook'), category='success') diff --git a/kallithea/tests/functional/test_admin_settings.py b/kallithea/tests/functional/test_admin_settings.py --- a/kallithea/tests/functional/test_admin_settings.py +++ b/kallithea/tests/functional/test_admin_settings.py @@ -88,6 +88,18 @@ class TestAdminSettingsController(TestCo response.mustcontain(no=['test_hooks_2']) response.mustcontain(no=['cd %s2' % TESTS_TMP_PATH]) + def test_add_existing_builtin_hook(self): + self.log_user() + response = self.app.post(url('admin_settings_hooks'), + params=dict(new_hook_ui_key='changegroup.update', + new_hook_ui_value='attempted_new_value', + _authentication_token=self.authentication_token())) + + self.checkSessionFlash(response, 'Builtin hooks are read-only') + response = response.follow() + response.mustcontain('changegroup.update') + response.mustcontain('hg update >&2') + def test_index_search(self): self.log_user() response = self.app.get(url('admin_settings_search'))