kallithea Changeset - 5c1ad3b410e5

Changeset - 5c1ad3b410e5

Parent rev.

Child rev.

[Not reviewed]

beta

0 3 0

Marcin Kuzminski - 13 years ago 2012-09-23 13:04:53
marcin@python-works.com

fixed #570 explicit users group permissions can overwrite owner permissions
- added test for that case

3 files changed with 54 insertions and 2 deletions:

docs/changelog.rst

rhodecode/model/user.py

rhodecode/tests/models/test_permissions.py

0 comments (0 inline, 0 general)

docs/changelog.rst

➞

Show inline comments

@@ @@ -15,10 +15,13 @@ news @@
 ++++
 - #558 Added config file to hooks extra data
 - bumbped mercurial version to 2.3.1
 fixes
 +++++
 - fixed #570 explicit users group permissions can overwrite owner permissions
 .4.2 (**2012-09-12**)
 ----------------------

rhodecode/model/user.py

➞

Show inline comments

@@ @@ -524,8 +524,12 @@ class UserModel(BaseModel): @@
             p = perm.Permission.permission_name
             cur_perm = user.permissions[RK][r_k]
             # overwrite permission only if it's greater than permission
             # given from other sources
+            # given from other sources - disabled with `or 1` now
             if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm] or 1:  # disable check
                 if perm.Repository.user_id == uid:
                     # set admin if owner
                     p = 'repository.admin'
                 user.permissions[RK][r_k] = p
         # user explicit permissions for repositories

rhodecode/tests/models/test_permissions.py

➞

Show inline comments

@@ @@ -10,7 +10,7 @@ from rhodecode.model.user import UserMod @@
 from rhodecode.model.meta import Session
 from rhodecode.model.users_group import UsersGroupModel
 from rhodecode.lib.auth import AuthUser
+from rhodecode.tests.api.api_base import create_repo
 class TestPermissions(unittest.TestCase):
@@ @@ -40,6 +40,7 @@ class TestPermissions(unittest.TestCase) @@
     def tearDown(self):
         if hasattr(self, 'test_repo'):
             RepoModel().delete(repo=self.test_repo)
         UserModel().delete(self.u1)
         UserModel().delete(self.u2)
         UserModel().delete(self.u3)
@@ @@ -425,3 +426,47 @@ class TestPermissions(unittest.TestCase) @@
                          set(['hg.create.repository', 'hg.fork.repository',
                               'hg.register.manual_activate',
                               'repository.read']))
     def test_owner_permissions_doesnot_get_overwritten_by_group(self):
         #create repo as USER,
         self.test_repo = repo = RepoModel().create_repo(repo_name='myownrepo',
                                 repo_type='hg',
                                 description='desc',
                                 owner=self.u1)
         Session().commit()
         #he has permissions of admin as owner
         u1_auth = AuthUser(user_id=self.u1.user_id)
         self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],
                          'repository.admin')
         #set his permission as users group, he should still be admin
         self.ug1 = UsersGroupModel().create('G1')
         # add user to group
         UsersGroupModel().add_user_to_group(self.ug1, self.u1)
         RepoModel().grant_users_group_permission(repo, group_name=self.ug1,
                                                  perm='repository.none')
         Session().commit()
         u1_auth = AuthUser(user_id=self.u1.user_id)
         self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],
                          'repository.admin')
     def test_owner_permissions_doesnot_get_overwritten_by_others(self):
         #create repo as USER,
         self.test_repo = repo = RepoModel().create_repo(repo_name='myownrepo',
                                 repo_type='hg',
                                 description='desc',
                                 owner=self.u1)
         Session().commit()
         #he has permissions of admin as owner
         u1_auth = AuthUser(user_id=self.u1.user_id)
         self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],
                          'repository.admin')
         #set his permission as user, he should still be admin
         RepoModel().grant_user_permission(repo, user=self.u1,
                                           perm='repository.none')
         Session().commit()
         u1_auth = AuthUser(user_id=self.u1.user_id)
         self.assertEqual(u1_auth.permissions['repositories']['myownrepo'],
                          'repository.admin')

0 comments (0 inline, 0 general)