You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ponymail.apache.org by se...@apache.org on 2016/12/13 23:52:04 UTC
incubator-ponymail git commit: inconsistent rights checking - use
common function
Repository: incubator-ponymail
Updated Branches:
refs/heads/master 4116d9bf4 -> 915a68d66
inconsistent rights checking - use common function
This fixes #267
Project: http://git-wip-us.apache.org/repos/asf/incubator-ponymail/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ponymail/commit/915a68d6
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ponymail/tree/915a68d6
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ponymail/diff/915a68d6
Branch: refs/heads/master
Commit: 915a68d66e03c840d10a402389803e084bdd23da
Parents: 4116d9b
Author: Sebb <se...@apache.org>
Authored: Tue Dec 13 23:51:52 2016 +0000
Committer: Sebb <se...@apache.org>
Committed: Tue Dec 13 23:51:52 2016 +0000
----------------------------------------------------------------------
CHANGELOG.md | 1 +
site/api/atom.lua | 35 ++++++++++++-----------------------
site/api/email.lua | 9 +--------
site/api/notifications.lua | 22 +++++++++-------------
site/api/preferences.lua | 12 ++++--------
site/api/source.lua | 8 +-------
site/api/stats.lua | 11 +++--------
site/api/thread.lua | 20 ++------------------
8 files changed, 33 insertions(+), 85 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ponymail/blob/915a68d6/CHANGELOG.md
----------------------------------------------------------------------
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 25dd5d9..3cd6183 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -62,6 +62,7 @@
- ll.py retrieves results but does not use them (#291)
- lib/aaa.lua various bugs (#140)
- lua modules should define local functions only (#294)
+- inconsistent rights checking (#267)
## CHANGES in 0.9b:
http://git-wip-us.apache.org/repos/asf/incubator-ponymail/blob/915a68d6/site/api/atom.lua
----------------------------------------------------------------------
diff --git a/site/api/atom.lua b/site/api/atom.lua
index caa6b3a..17e5d9d 100644
--- a/site/api/atom.lua
+++ b/site/api/atom.lua
@@ -123,22 +123,16 @@ function handle(r)
for k = #doc.hits.hits, 1, -1 do
local v = doc.hits.hits[k]
local email = v._source
- local canUse = true
+ local canUse = false
if email.private then
- if account and not rights then
- rights = aaa.rights(r, account)
- end
- canUse = false
if account then
- local lid = email.list_raw:match("<[^.]+%.(.-)>")
- local flid = email.list_raw:match("<([^.]+%..-)>")
- for k, v in pairs(rights or {}) do
- if v == "*" or v == lid or v == flid then
- canUse = true
- break
- end
+ if rights then
+ rights = aaa.rights(r, account)
end
+ canUse = canAccessDoc(email, rights)
end
+ else
+ canUse = true
end
if canUse then
local mid = email['message-id']
@@ -166,21 +160,16 @@ function handle(r)
fetchChildren(r, parent)
-- ensure access and process all children
for k, doc in pairs(emls_thrd) do
- local canUse = true
+ local canUse = false
if doc.private then
- canUse = false
- if account and not rights then
- rights = aaa.rights(r, account)
- end
if account then
- local lid = doc.list_raw:match("<[^.]+%.(.-)>")
- for k, v in pairs(rights or {}) do
- if v == "*" or v == lid then
- canUse = true
- break
- end
+ if not rights then
+ rights = aaa.rights(r, account)
end
+ canUse = canAccessDoc(doc, rights)
end
+ else
+ canUse = true
end
if canUse then
table.insert(emls, doc)
http://git-wip-us.apache.org/repos/asf/incubator-ponymail/blob/915a68d6/site/api/email.lua
----------------------------------------------------------------------
diff --git a/site/api/email.lua b/site/api/email.lua
index 8c36fa0..14f419d 100644
--- a/site/api/email.lua
+++ b/site/api/email.lua
@@ -69,14 +69,7 @@ function handle(r)
-- Is this a private email? and if so, does the user have access to view it?
if doc.private then
if account then
- local lid = doc.list_raw:match("<[^.]+%.(.-)>")
- local flid = doc.list_raw:match("<([^.]+%..-)>")
- for k, v in pairs(aaa.rights(r, account)) do
- if v == "*" or v == lid or v == flid then
- canAccess = true
- break
- end
- end
+ canAccess = canAccessDoc(doc, aaa.rights(r, account))
else
r:puts(JSON.encode{
error = "You must be logged in to view this email"
http://git-wip-us.apache.org/repos/asf/incubator-ponymail/blob/915a68d6/site/api/notifications.lua
----------------------------------------------------------------------
diff --git a/site/api/notifications.lua b/site/api/notifications.lua
index d4ecba5..35ea247 100644
--- a/site/api/notifications.lua
+++ b/site/api/notifications.lua
@@ -24,6 +24,8 @@ local aaa = require 'lib/aaa'
local user = require 'lib/user'
local cross = require 'lib/cross'
+require 'lib/utils'
+
function handle(r)
r.content_type = "application/json"
local now = r:clock()
@@ -53,23 +55,17 @@ function handle(r)
-- Find all recent notification docs, up to 50 latest results
local docs = elastic.find("recipient:\"" .. r:sha1(account.cid) .. "\"", 50, "notifications")
for k, doc in pairs(docs) do
- local canUse = true
+ local canUse = false
-- check we have rights to view this notification (it might be from a private email we shouldn't see)
if doc.private then
- if not rights then
- rights = aaa.rights(r, account)
- end
- canUse = false
if account then
- local lid = doc.list_raw:match("<[^.]+%.(.-)>")
- local flid = doc.list_raw:match("<([^.]+%..-)>")
- for k, v in pairs(rights or {}) do
- if v == "*" or v == lid or v == flid then
- canUse = true
- break
- end
- end
+ if not rights then
+ rights = aaa.rights(r, account)
+ end
+ canUse = canAccessDoc(doc, rights)
end
+ else
+ canUse = true
end
-- if we can see the email, push the notif to the list
if canUse then
http://git-wip-us.apache.org/repos/asf/incubator-ponymail/blob/915a68d6/site/api/preferences.lua
----------------------------------------------------------------------
diff --git a/site/api/preferences.lua b/site/api/preferences.lua
index 59f1e19..df1444b 100644
--- a/site/api/preferences.lua
+++ b/site/api/preferences.lua
@@ -25,6 +25,8 @@ local smtp = require 'socket.smtp'
local config = require 'lib/config'
local aaa = require 'lib/aaa'
+require 'lib/utils'
+
--[[
Get login details (if logged in), mail list counts and descriptions
@@ -319,15 +321,9 @@ Pony Mail - Email for Ponies and People.
-- i.e. the user won't see the list name if it contains a single private mail they cannot access
for x,y in pairs (pdoc.aggregations.from.buckets) do
local canAccess = false
- local list, domain = y.key:lower():match("^<?(.-)%.(.-)>?$")
+ local _, list, domain = parseLid(y.key:lower())
if list and domain and #list > 0 and #domain > 2 then
- local flid = list .. "." .. domain
- for k, v in pairs(rights) do
- if v == "*" or v == domain or v == flid then
- canAccess = true
- break
- end
- end
+ canAccess = canAccessList(y.key:lower(), rights)
if not canAccess then
lists[domain] = lists[domain] or {}
lists[domain][list] = nil
http://git-wip-us.apache.org/repos/asf/incubator-ponymail/blob/915a68d6/site/api/source.lua
----------------------------------------------------------------------
diff --git a/site/api/source.lua b/site/api/source.lua
index 45305e4..7d6c728 100644
--- a/site/api/source.lua
+++ b/site/api/source.lua
@@ -40,13 +40,7 @@ function handle(r)
if doc.private then
local account = user.get(r)
if account then
- local lid = doc.list_raw:match("<[^.]+%.(.-)>")
- for k, v in pairs(aaa.rights(r, account)) do
- if v == "*" or v == lid then
- canAccess = true
- break
- end
- end
+ canAccess = canAccessDoc(doc, aaa.rights(r, account))
else
r:puts("You must be logged in to view this email")
return cross.OK
http://git-wip-us.apache.org/repos/asf/incubator-ponymail/blob/915a68d6/site/api/stats.lua
----------------------------------------------------------------------
diff --git a/site/api/stats.lua b/site/api/stats.lua
index fa07ff7..70a5816 100644
--- a/site/api/stats.lua
+++ b/site/api/stats.lua
@@ -24,6 +24,8 @@ local aaa = require 'lib/aaa'
local config = require 'lib/config'
local cross = require 'lib/cross'
+require 'lib/utils'
+
local days = {
31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31, 30, 31
}
@@ -585,14 +587,7 @@ function handle(r)
end
canUse = false
if account then
- local lid = email.list_raw:match("<[^.]+%.(.-)>")
- local flid = email.list_raw:match("<([^.]+%..-)>")
- for k, v in pairs(rights or {}) do
- if v == "*" or v == lid or v == flid then
- canUse = true
- break
- end
- end
+ canUse = canAccessDoc(email, rights)
end
end
if canUse then
http://git-wip-us.apache.org/repos/asf/incubator-ponymail/blob/915a68d6/site/api/thread.lua
----------------------------------------------------------------------
diff --git a/site/api/thread.lua b/site/api/thread.lua
index 9c92ac8..b75ac41 100644
--- a/site/api/thread.lua
+++ b/site/api/thread.lua
@@ -59,15 +59,7 @@ local function fetchChildren(r, pdoc, c, biglist, rights, account)
-- if we haven't seen this email before, check for its kids and add it to the bunch
local canAccess = true
if doc.private then
- canAccess = false
- local lid = doc.list_raw:match("<[^.]+%.(.-)>")
- local flid = doc.list_raw:match("<([^.]+%..-)>")
- for k, v in pairs(rights) do
- if v == "*" or v == lid or v == flid then
- canAccess = true
- break
- end
- end
+ canAccess = canAccessDoc(doc, rights)
end
if canAccess and (not biglist[doc['message-id']]) then
@@ -129,15 +121,7 @@ function handle(r)
-- if private, can we access it?
if doc.private then
if account then
- local lid = doc.list_raw:match("<[^.]+%.(.-)>")
- local flid = doc.list_raw:match("<([^.]+%..-)>")
- rights = aaa.rights(r, account)
- for k, v in pairs(rights) do
- if v == "*" or v == lid or v == flid then
- canAccess = true
- break
- end
- end
+ canAccess = canAccessDoc(doc, aaa.rights(r, account))
else
r:puts(JSON.encode{
error = "You must be logged in to view this email"