Changeset - edb9a42def31
Parent rev.
Child rev.
[Not reviewed]
beta
0 1 0
Marcin Kuzminski - 13 years ago 2013-03-02 20:35:49
marcin@python-works.com
fix to strict permission check on notification messages
1 file changed with 6 insertions and 5 deletions:
rhodecode/controllers/admin/notifications.py
6
5
0 comments (0 inline, 0 general)
rhodecode/controllers/admin/notifications.py
Show inline comments
 
@@ -19,25 +19,25 @@
 
# but WITHOUT ANY WARRANTY; without even the implied warranty of
 
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 
# GNU General Public License for more details.
 
#
 
# You should have received a copy of the GNU General Public License
 
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 

			




	
	
	
		
 
import logging

			




	
	
	
		
 
import traceback

			




	
	
	
		
 

			




	
	
	
		
 
from pylons import request

			




	
	
	
		
 
from pylons import tmpl_context as c, url

			




	
	
	
		
 
from pylons.controllers.util import redirect

			




	
	
	
		
 
from pylons.controllers.util import redirect, abort

			




	
	
	
		
 

			




	
	
	
		
 
from webhelpers.paginate import Page

			




	
	
	
		
 

			




	
	
	
		
 
from rhodecode.lib.base import BaseController, render

			




	
	
	
		
 
from rhodecode.model.db import Notification

			




	
	
	
		
 

			




	
	
	
		
 
from rhodecode.model.notification import NotificationModel

			




	
	
	
		
 
from rhodecode.lib.auth import LoginRequired, NotAnonymous

			




	
	
	
		
 
from rhodecode.lib import helpers as h

			




	
	
	
		
 
from rhodecode.model.meta import Session

			




	
	
	
		
 
from rhodecode.lib.utils2 import safe_int

			




	
	
	
		
 

			




	
	
		
 
@@ -108,65 +108,66 @@ class NotificationsController(BaseContro

			




	
	
	
		
 
        #    h.form(url('notification', notification_id=ID),

			




	
	
	
		
 
        #           method='put')

			




	
	
	
		
 
        # url('notification', notification_id=ID)

			




	
	
	
		
 
        try:

			




	
	
	
		
 
            no = Notification.get(notification_id)

			




	
	
	
		
 
            owner = all(un.user.user_id == c.rhodecode_user.user_id

			




	
	
	
		
 
                        for un in no.notifications_to_users)

			




	
	
	
		
 
            if h.HasPermissionAny('hg.admin')() or owner:

			




	
	
	
		
 
                    NotificationModel().mark_read(c.rhodecode_user.user_id, no)

			




	
	
	
		
 
                    Session().commit()

			




	
	
	
		
 
                    return 'ok'

			




	
	
	
		
 
        except Exception:

			




	
	
	
		
 
            Session.rollback()

			




	
	
	
		
 
            Session().rollback()

			




	
	
	
		
 
            log.error(traceback.format_exc())

			




	
	
	
		
 
        return 'fail'

			




	
	
	
		
 

			




	
	
	
		
 
    def delete(self, notification_id):

			




	
	
	
		
 
        """DELETE /_admin/notifications/id: Delete an existing item"""

			




	
	
	
		
 
        # Forms posted to this method should contain a hidden field:

			




	
	
	
		
 
        #    <input type="hidden" name="_method" value="DELETE" />

			




	
	
	
		
 
        # Or using helpers:

			




	
	
	
		
 
        #    h.form(url('notification', notification_id=ID),

			




	
	
	
		
 
        #           method='delete')

			




	
	
	
		
 
        # url('notification', notification_id=ID)

			




	
	
	
		
 

			




	
	
	
		
 
        try:

			




	
	
	
		
 
            no = Notification.get(notification_id)

			




	
	
	
		
 
            owner = all(un.user.user_id == c.rhodecode_user.user_id

			




	
	
	
		
 
                        for un in no.notifications_to_users)

			




	
	
	
		
 
            if h.HasPermissionAny('hg.admin')() or owner:

			




	
	
	
		
 
                    NotificationModel().delete(c.rhodecode_user.user_id, no)

			




	
	
	
		
 
                    Session().commit()

			




	
	
	
		
 
                    return 'ok'

			




	
	
	
		
 
        except Exception:

			




	
	
	
		
 
            Session.rollback()

			




	
	
	
		
 
            Session().rollback()

			




	
	
	
		
 
            log.error(traceback.format_exc())

			




	
	
	
		
 
        return 'fail'

			




	
	
	
		
 

			




	
	
	
		
 
    def show(self, notification_id, format='html'):

			




	
	
	
		
 
        """GET /_admin/notifications/id: Show a specific item"""

			




	
	
	
		
 
        # url('notification', notification_id=ID)

			




	
	
	
		
 
        c.user = self.rhodecode_user

			




	
	
	
		
 
        no = Notification.get(notification_id)

			




	
	
	
		
 

			




	
	
	
		
 
        owner = all(un.user.user_id == c.rhodecode_user.user_id

			




	
	
	
		
 
        owner = any(un.user.user_id == c.rhodecode_user.user_id

			




	
	
	
		
 
                    for un in no.notifications_to_users)

			




	
	
	
		
 

			




	
	
	
		
 
        if no and (h.HasPermissionAny('hg.admin', 'repository.admin')() or owner):

			




	
	
	
		
 
            unotification = NotificationModel()\

			




	
	
	
		
 
                            .get_user_notification(c.user.user_id, no)

			




	
	
	
		
 

			




	
	
	
		
 
            # if this association to user is not valid, we don't want to show

			




	
	
	
		
 
            # this message

			




	
	
	
		
 
            if unotification:

			




	
	
	
		
 
                if unotification.read is False:

			




	
	
	
		
 
                    unotification.mark_as_read()

			




	
	
	
		
 
                    Session().commit()

			




	
	
	
		
 
                c.notification = no

			




	
	
	
		
 

			




	
	
	
		
 
                return render('admin/notifications/show_notification.html')

			




	
	
	
		
 

			




	
	
	
		
 
        return redirect(url('notifications'))

			




	
	
	
		
 
        return abort(403)

			




	
	
	
		
 

			




	
	
	
		
 
    def edit(self, notification_id, format='html'):

			




	
	
	
		
 
        """GET /_admin/notifications/id/edit: Form to edit an existing item"""

			




	
	
	
		
 
        # url('edit_notification', notification_id=ID)

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.