kallithea Changeset - a45191e7c7bb

Changeset - a45191e7c7bb

Parent rev.

Child rev.

[Not reviewed]

beta

0 4 0

Mads Kiilerich - 13 years ago 2013-01-02 13:56:44
madski@unity3d.com

access control: fix owner checks - they were always true

The lambda expressions seems to be left over from something else. They were no
longer executed and thus always evaluated to true.

Some of the functions also failed if they were executed.

4 files changed with 9 insertions and 8 deletions:

rhodecode/controllers/admin/notifications.py

rhodecode/controllers/changeset.py

rhodecode/controllers/pullrequests.py

rhodecode/tests/functional/test_admin_notifications.py

0 comments (0 inline, 0 general)

rhodecode/controllers/admin/notifications.py

➞

Show inline comments

@@ @@ -110,8 +110,8 @@ class NotificationsController(BaseContro @@
         # url('notification', notification_id=ID)
         try:
             no = Notification.get(notification_id)
             owner = lambda: (no.notifications_to_users.user.user_id
                              == c.rhodecode_user.user_id)
             owner = all(un.user.user_id == c.rhodecode_user.user_id
                         for un in no.notifications_to_users)
             if h.HasPermissionAny('hg.admin')() or owner:
                     NotificationModel().mark_read(c.rhodecode_user.user_id, no)
                     Session().commit()
@@ @@ -132,8 +132,8 @@ class NotificationsController(BaseContro @@
         try:
             no = Notification.get(notification_id)
             owner = lambda: (no.notifications_to_users.user.user_id
                              == c.rhodecode_user.user_id)
             owner = all(un.user.user_id == c.rhodecode_user.user_id
                         for un in no.notifications_to_users)
             if h.HasPermissionAny('hg.admin')() or owner:
                     NotificationModel().delete(c.rhodecode_user.user_id, no)
                     Session().commit()
@@ @@ -149,8 +149,8 @@ class NotificationsController(BaseContro @@
         c.user = self.rhodecode_user
         no = Notification.get(notification_id)
         owner = lambda: (no.notifications_to_users.user.user_id
                          == c.user.user_id)
         owner = all(un.user.user_id == c.rhodecode_user.user_id
                     for un in no.notifications_to_users)
         if no and (h.HasPermissionAny('hg.admin', 'repository.admin')() or owner):
             unotification = NotificationModel()\
                             .get_user_notification(c.user.user_id, no)

rhodecode/controllers/changeset.py

➞

Show inline comments

@@ @@ -371,7 +371,7 @@ class ChangesetController(BaseRepoContro @@
     @jsonify
     def delete_comment(self, repo_name, comment_id):
         co = ChangesetComment.get(comment_id)
-        owner = lambda: co.author.user_id == c.rhodecode_user.user_id
         owner = co.author.user_id == c.rhodecode_user.user_id
         if h.HasPermissionAny('hg.admin', 'repository.admin')() or owner:
             ChangesetCommentsModel().delete(comment=co)
             Session().commit()

rhodecode/controllers/pullrequests.py

➞

Show inline comments

@@ @@ -477,7 +477,7 @@ class PullrequestsController(BaseRepoCon @@
             #don't allow deleting comments on closed pull request
             raise HTTPForbidden()
-        owner = lambda: co.author.user_id == c.rhodecode_user.user_id
         owner = co.author.user_id == c.rhodecode_user.user_id
         if h.HasPermissionAny('hg.admin', 'repository.admin')() or owner:
             ChangesetCommentsModel().delete(comment=co)
             Session().commit()

rhodecode/tests/functional/test_admin_notifications.py

➞

Show inline comments

@@ @@ -82,6 +82,7 @@ class TestNotificationsController(TestCo @@
         response = self.app.delete(url('notification',
                                        notification_id=
                                        notification.notification_id))
         self.assertEqual(response.body, 'ok')
         cur_user = User.get(cur_usr_id)
         self.assertEqual(cur_user.notifications, [])

0 comments (0 inline, 0 general)