Changeset - edb9a42def31
Parent rev.
Child rev.
[Not reviewed]
beta
0 1 0
Marcin Kuzminski - 13 years ago 2013-03-02 20:35:49
marcin@python-works.com
fix to strict permission check on notification messages
1 file changed with 6 insertions and 5 deletions:
rhodecode/controllers/admin/notifications.py
6
5
0 comments (0 inline, 0 general)
rhodecode/controllers/admin/notifications.py
Show inline comments
 
@@ -28,7 +28,7 @@ import traceback
 

			




	
	
	
		
 
from pylons import request

			




	
	
	
		
 
from pylons import tmpl_context as c, url

			




	
	
	
		
 
from pylons.controllers.util import redirect

			




	
	
	
		
 
from pylons.controllers.util import redirect, abort

			




	
	
	
		
 

			




	
	
	
		
 
from webhelpers.paginate import Page

			




	
	
	
		
 

			




	
	
		
 
@@ -117,7 +117,7 @@ class NotificationsController(BaseContro

			




	
	
	
		
 
                    Session().commit()

			




	
	
	
		
 
                    return 'ok'

			




	
	
	
		
 
        except Exception:

			




	
	
	
		
 
            Session.rollback()

			




	
	
	
		
 
            Session().rollback()

			




	
	
	
		
 
            log.error(traceback.format_exc())

			




	
	
	
		
 
        return 'fail'

			




	
	
	
		
 

			




	
	
		
 
@@ -139,7 +139,7 @@ class NotificationsController(BaseContro

			




	
	
	
		
 
                    Session().commit()

			




	
	
	
		
 
                    return 'ok'

			




	
	
	
		
 
        except Exception:

			




	
	
	
		
 
            Session.rollback()

			




	
	
	
		
 
            Session().rollback()

			




	
	
	
		
 
            log.error(traceback.format_exc())

			




	
	
	
		
 
        return 'fail'

			




	
	
	
		
 

			




	
	
		
 
@@ -149,8 +149,9 @@ class NotificationsController(BaseContro

			




	
	
	
		
 
        c.user = self.rhodecode_user

			




	
	
	
		
 
        no = Notification.get(notification_id)

			




	
	
	
		
 

			




	
	
	
		
 
        owner = all(un.user.user_id == c.rhodecode_user.user_id

			




	
	
	
		
 
        owner = any(un.user.user_id == c.rhodecode_user.user_id

			




	
	
	
		
 
                    for un in no.notifications_to_users)

			




	
	
	
		
 

			




	
	
	
		
 
        if no and (h.HasPermissionAny('hg.admin', 'repository.admin')() or owner):

			




	
	
	
		
 
            unotification = NotificationModel()\

			




	
	
	
		
 
                            .get_user_notification(c.user.user_id, no)

			




	
	
		
 
@@ -165,7 +166,7 @@ class NotificationsController(BaseContro

			




	
	
	
		
 

			




	
	
	
		
 
                return render('admin/notifications/show_notification.html')

			




	
	
	
		
 

			




	
	
	
		
 
        return redirect(url('notifications'))

			




	
	
	
		
 
        return abort(403)

			




	
	
	
		
 

			




	
	
	
		
 
    def edit(self, notification_id, format='html'):

			




	
	
	
		
 
        """GET /_admin/notifications/id/edit: Form to edit an existing item"""

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.