You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by br...@apache.org on 2018/02/23 19:16:14 UTC
allura git commit: [#4841] Prevents anonymous users from editing
other anon comments, including their own.
Repository: allura
Updated Branches:
refs/heads/master 7160b3427 -> 557b09ac6
[#4841] Prevents anonymous users from editing other anon comments, including their own.
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/557b09ac
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/557b09ac
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/557b09ac
Branch: refs/heads/master
Commit: 557b09ac6ed6183e53dfa2b6fb8bb43f5fa40ec6
Parents: 7160b34
Author: Kenton Taylor <kt...@slashdotmedia.com>
Authored: Wed Feb 21 11:45:20 2018 -0500
Committer: Dave Brondsema <da...@brondsema.net>
Committed: Fri Feb 23 11:57:12 2018 -0500
----------------------------------------------------------------------
Allura/allura/app.py | 2 +-
Allura/allura/model/discuss.py | 5 +-
.../tests/functional/test_forum.py | 17 +++++
.../033-change-comment-anon-permissions.py | 66 ++++++++++++++++++++
4 files changed, 87 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/557b09ac/Allura/allura/app.py
----------------------------------------------------------------------
diff --git a/Allura/allura/app.py b/Allura/allura/app.py
index 8db59dd..07b67d8 100644
--- a/Allura/allura/app.py
+++ b/Allura/allura/app.py
@@ -271,7 +271,7 @@ class Application(object):
permissions_desc = {
'unmoderated_post': 'Post comments without moderation.',
'post': 'Post comments, subject to moderation.',
- 'moderate': 'Moderate comments.',
+ 'moderate': 'Approve and edit all comments.',
'configure': 'Set label and options. Requires admin permission.',
'admin': 'Set permissions.',
}
http://git-wip-us.apache.org/repos/asf/allura/blob/557b09ac/Allura/allura/model/discuss.py
----------------------------------------------------------------------
diff --git a/Allura/allura/model/discuss.py b/Allura/allura/model/discuss.py
index aff6607..32cf68e 100644
--- a/Allura/allura/model/discuss.py
+++ b/Allura/allura/model/discuss.py
@@ -726,8 +726,9 @@ class Post(Message, VersionedArtifact, ActivityObject):
author = self.author()
author_role = ProjectRole.by_user(
author, project=self.project, upsert=True)
- security.simple_grant(
- self.acl, author_role._id, 'moderate')
+ if not author.is_anonymous():
+ security.simple_grant(
+ self.acl, author_role._id, 'moderate')
self.commit()
if (c.app.config.options.get('PostingPolicy') == 'ApproveOnceModerated'
and author._id != None):
http://git-wip-us.apache.org/repos/asf/allura/blob/557b09ac/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py
----------------------------------------------------------------------
diff --git a/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py b/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py
index 7a55965..3f20911 100644
--- a/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py
+++ b/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py
@@ -523,6 +523,7 @@ class TestForum(TestController):
assert 'name="delete"' not in r
assert 'name="approve"' not in r
assert 'name="spam"' not in r
+ assert "Post content" not in r
assert_equal(spam_checker.check.call_args[0][0], 'Test Thread\nPost content')
# assert unapproved thread replies do not appear
@@ -559,6 +560,22 @@ class TestForum(TestController):
link = '<a href="%s">[%s]</a>' % (post2.thread.url() + '?limit=25#' + post2.slug, post2.shorthand_id())
assert link in r, link
+ # approve posts
+ r = self.app.post('/discussion/testforum/moderate/save_moderation', params={
+ 'post-0._id': post._id,
+ 'post-0.checked': 'on',
+ 'approve': 'Approve Marked'})
+ post = FM.ForumPost.query.get(text='Post content')
+
+ # assert anon can't edit their original post
+ r = self.app.get(thread.request.url,
+ extra_environ=dict(username='*anonymous'))
+ assert 'Post content' in r
+ post_container = r.html.find('div', {'id': post.slug})
+ btn_edit = post_container.find('a', {'title': 'Edit'})
+ assert not btn_edit
+
+
@td.with_tool('test2', 'Discussion', 'discussion')
@mock.patch('allura.model.discuss.g.spam_checker')
def test_is_spam(self, spam_checker):
http://git-wip-us.apache.org/repos/asf/allura/blob/557b09ac/scripts/migrations/033-change-comment-anon-permissions.py
----------------------------------------------------------------------
diff --git a/scripts/migrations/033-change-comment-anon-permissions.py b/scripts/migrations/033-change-comment-anon-permissions.py
new file mode 100644
index 0000000..b5a710c
--- /dev/null
+++ b/scripts/migrations/033-change-comment-anon-permissions.py
@@ -0,0 +1,66 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+import sys
+import logging
+from ming.orm import ThreadLocalORMSession, session
+from pylons import tmpl_context as c
+from allura import model as M
+from forgediscussion.model import ForumPost
+from allura.lib import utils, security
+from argparse import ArgumentParser, ArgumentDefaultsHelpFormatter, ArgumentTypeError
+
+
+log = logging.getLogger(__name__)
+
+
+def arguments():
+ parser = ArgumentParser(description="Args for changing anon comment permissions",
+ formatter_class=ArgumentDefaultsHelpFormatter, )
+ parser.add_argument('shortname', help="shortname of project to change perms on")
+ parser.add_argument('toolname', help="toolname to change perms on")
+
+ args = parser.parse_args()
+ return args
+
+
+def main():
+ args = arguments()
+
+ c.project = None # to avoid error in Artifact.__mongometa__.before_save
+ project = M.Project.query.get(shortname=args.shortname)
+ tool = project.app_config_by_tool_type(args.toolname)
+
+ for chunk in utils.chunked_find(ForumPost, {'app_config_id':tool._id}):
+ for p in chunk:
+ has_access = bool(security.has_access(p, 'moderate', M.User.anonymous()))
+
+ if has_access:
+ anon_role_id = None
+ for acl in p.acl:
+ # find the anon moderate acl
+ if acl.permission == 'moderate' and acl.access=='ALLOW':
+ anon_role_id = acl.role_id
+
+ if anon_role_id:
+ print "revoking anon moderate privelege for '{}'".format(p._id)
+ security.simple_revoke(p.acl, anon_role_id, 'moderate')
+ session(p).flush(p)
+
+
+if __name__ == '__main__':
+ main()