kallithea Changeset - 40fea9b37a32

Changeset - 40fea9b37a32

Parent rev.

Child rev.

[Not reviewed]

default

0 2 0

Thomas De Schampheleire - 7 years ago 2018-05-20 22:29:40
thomas.de_schampheleire@nokia.com

admin: hooks: prevent editing of builtin hooks (issue #226)

Builtin hooks are supposed to be read-only, but it was still possible to
'add' a new hook with the same name as an existing built-in one, changing
its value.

2 files changed with 14 insertions and 0 deletions:

kallithea/controllers/admin/settings.py

kallithea/tests/functional/test_admin_settings.py

0 comments (0 inline, 0 general)

kallithea/controllers/admin/settings.py

➞

Show inline comments

@@ @@ -344,24 +344,26 @@ class SettingsController(BaseController) @@
         c.active = 'hooks'
         if request.POST:
             if c.visual.allow_custom_hooks_settings:
                 ui_key = request.POST.get('new_hook_ui_key')
                 ui_value = request.POST.get('new_hook_ui_value')
                 hook_id = request.POST.get('hook_id')
                 try:
                     ui_key = ui_key and ui_key.strip()
                     if ui_key in (x.ui_key for x in Ui.get_custom_hooks()):
                         h.flash(_('Hook already exists'), category='error')
                     elif ui_key in (x.ui_key for x in Ui.get_builtin_hooks()):
                         h.flash(_('Builtin hooks are read-only. Please use another hook name.'), category='error')
                     elif ui_value and ui_key:
                         Ui.create_or_update_hook(ui_key, ui_value)
                         h.flash(_('Added new hook'), category='success')
                     elif hook_id:
                         Ui.delete(hook_id)
                         Session().commit()
                     # check for edits
                     update = False
                     _d = request.POST.dict_of_lists()
                     for k, v in zip(_d.get('hook_ui_key', []),
                                     _d.get('hook_ui_value_new', [])):

kallithea/tests/functional/test_admin_settings.py

➞

Show inline comments

@@ @@ -79,24 +79,36 @@ class TestAdminSettingsController(TestCo @@
         response = response.follow()
         response.mustcontain('test_hooks_2')
         response.mustcontain('cd %s2' % TESTS_TMP_PATH)
         hook_id = Ui.get_by_key('hooks', 'test_hooks_2').ui_id
         ## delete
         self.app.post(url('admin_settings_hooks'),
                         params=dict(hook_id=hook_id, _authentication_token=self.authentication_token()))
         response = self.app.get(url('admin_settings_hooks'))
         response.mustcontain(no=['test_hooks_2'])
         response.mustcontain(no=['cd %s2' % TESTS_TMP_PATH])
     def test_add_existing_builtin_hook(self):
         self.log_user()
         response = self.app.post(url('admin_settings_hooks'),
                                 params=dict(new_hook_ui_key='changegroup.update',
                                             new_hook_ui_value='attempted_new_value',
                                             _authentication_token=self.authentication_token()))
         self.checkSessionFlash(response, 'Builtin hooks are read-only')
         response = response.follow()
         response.mustcontain('changegroup.update')
         response.mustcontain('hg update &gt;&amp;2')
     def test_index_search(self):
         self.log_user()
         response = self.app.get(url('admin_settings_search'))
     def test_index_system(self):
         self.log_user()
         response = self.app.get(url('admin_settings_system'))
     def test_ga_code_active(self):
         self.log_user()
         old_title = 'Kallithea'
         old_realm = 'Kallithea authentication'

0 comments (0 inline, 0 general)