kallithea Changeset - a45191e7c7bb

Changeset - a45191e7c7bb

Parent rev.

Child rev.

[Not reviewed]

beta

0 4 0

Mads Kiilerich - 13 years ago 2013-01-02 13:56:44
madski@unity3d.com

access control: fix owner checks - they were always true

The lambda expressions seems to be left over from something else. They were no
longer executed and thus always evaluated to true.

Some of the functions also failed if they were executed.

4 files changed with 9 insertions and 8 deletions:

rhodecode/controllers/admin/notifications.py

rhodecode/controllers/changeset.py

rhodecode/controllers/pullrequests.py

rhodecode/tests/functional/test_admin_notifications.py

0 comments (0 inline, 0 general)

rhodecode/controllers/admin/notifications.py

➞

Show inline comments

@@ @@ -107,14 +107,14 @@ class NotificationsController(BaseContro @@
         # Or using helpers:
         #    h.form(url('notification', notification_id=ID),
         #           method='put')
         # url('notification', notification_id=ID)
         try:
             no = Notification.get(notification_id)
             owner = lambda: (no.notifications_to_users.user.user_id
                              == c.rhodecode_user.user_id)
             owner = all(un.user.user_id == c.rhodecode_user.user_id
                         for un in no.notifications_to_users)
             if h.HasPermissionAny('hg.admin')() or owner:
                     NotificationModel().mark_read(c.rhodecode_user.user_id, no)
                     Session().commit()
                     return 'ok'
         except Exception:
             Session.rollback()
@@ @@ -129,14 +129,14 @@ class NotificationsController(BaseContro @@
         #    h.form(url('notification', notification_id=ID),
         #           method='delete')
         # url('notification', notification_id=ID)
         try:
             no = Notification.get(notification_id)
             owner = lambda: (no.notifications_to_users.user.user_id
                              == c.rhodecode_user.user_id)
             owner = all(un.user.user_id == c.rhodecode_user.user_id
                         for un in no.notifications_to_users)
             if h.HasPermissionAny('hg.admin')() or owner:
                     NotificationModel().delete(c.rhodecode_user.user_id, no)
                     Session().commit()
                     return 'ok'
         except Exception:
             Session.rollback()
@@ @@ -146,14 +146,14 @@ class NotificationsController(BaseContro @@
     def show(self, notification_id, format='html'):
         """GET /_admin/notifications/id: Show a specific item"""
         # url('notification', notification_id=ID)
         c.user = self.rhodecode_user
         no = Notification.get(notification_id)
         owner = lambda: (no.notifications_to_users.user.user_id
                          == c.user.user_id)
         owner = all(un.user.user_id == c.rhodecode_user.user_id
                     for un in no.notifications_to_users)
         if no and (h.HasPermissionAny('hg.admin', 'repository.admin')() or owner):
             unotification = NotificationModel()\
                             .get_user_notification(c.user.user_id, no)
             # if this association to user is not valid, we don't want to show
             # this message

rhodecode/controllers/changeset.py

➞

Show inline comments

@@ @@ -368,13 +368,13 @@ class ChangesetController(BaseRepoContro @@
         return data
     @jsonify
     def delete_comment(self, repo_name, comment_id):
         co = ChangesetComment.get(comment_id)
-        owner = lambda: co.author.user_id == c.rhodecode_user.user_id
         owner = co.author.user_id == c.rhodecode_user.user_id
         if h.HasPermissionAny('hg.admin', 'repository.admin')() or owner:
             ChangesetCommentsModel().delete(comment=co)
             Session().commit()
             return True
         else:
             raise HTTPForbidden()

rhodecode/controllers/pullrequests.py

➞

Show inline comments

@@ @@ -474,13 +474,13 @@ class PullrequestsController(BaseRepoCon @@
     def delete_comment(self, repo_name, comment_id):
         co = ChangesetComment.get(comment_id)
         if co.pull_request.is_closed():
             #don't allow deleting comments on closed pull request
             raise HTTPForbidden()
-        owner = lambda: co.author.user_id == c.rhodecode_user.user_id
         owner = co.author.user_id == c.rhodecode_user.user_id
         if h.HasPermissionAny('hg.admin', 'repository.admin')() or owner:
             ChangesetCommentsModel().delete(comment=co)
             Session().commit()
             return True
         else:
             raise HTTPForbidden()

rhodecode/tests/functional/test_admin_notifications.py

➞

Show inline comments

@@ @@ -79,12 +79,13 @@ class TestNotificationsController(TestCo @@
         self.assertEqual(get_notif(u2.notifications), [notification])
         cur_usr_id = cur_user.user_id
         response = self.app.delete(url('notification',
                                        notification_id=
                                        notification.notification_id))
         self.assertEqual(response.body, 'ok')
         cur_user = User.get(cur_usr_id)
         self.assertEqual(cur_user.notifications, [])
     def test_show(self):
         self.log_user()

0 comments (0 inline, 0 general)