You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by jo...@apache.org on 2013/03/01 16:58:05 UTC

[2/24] git commit: [#5887] check artifact security on _discuss/thread/ URLs

[#5887] check artifact security on _discuss/thread/ URLs


Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/1045b88c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/1045b88c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/1045b88c

Branch: refs/heads/cj/5411
Commit: 1045b88c1cf4280750109bef41bb06de3b849b15
Parents: c1413ea
Author: Dave Brondsema <db...@geek.net>
Authored: Tue Feb 26 21:03:29 2013 +0000
Committer: Dave Brondsema <db...@geek.net>
Committed: Tue Feb 26 21:03:29 2013 +0000

----------------------------------------------------------------------
 Allura/allura/controllers/discuss.py           |    9 ++++++
 Allura/allura/tests/functional/test_discuss.py |   27 ++++++++++++++++++-
 2 files changed, 35 insertions(+), 1 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/1045b88c/Allura/allura/controllers/discuss.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/discuss.py b/Allura/allura/controllers/discuss.py
index 577440e..4d7b3ec 100644
--- a/Allura/allura/controllers/discuss.py
+++ b/Allura/allura/controllers/discuss.py
@@ -1,5 +1,6 @@
 from urllib import unquote
 from datetime import datetime
+import logging
 
 from tg import expose, redirect, validate, request, response, flash
 from tg.decorators import before_validate, with_trailing_slash, without_trailing_slash
@@ -21,6 +22,8 @@ from allura.lib.helpers import DateTimeConverter
 from allura.lib.widgets import discuss as DW
 from .attachments import AttachmentsController, AttachmentController
 
+log = logging.getLogger(__name__)
+
 class pass_validator(object):
     def validate(self, v, s):
         return v
@@ -144,6 +147,8 @@ class ThreadController(BaseController):
 
     def _check_security(self):
         require_access(self.thread, 'read')
+        if self.thread.ref:
+            require_access(self.thread.ref.artifact, 'read')
 
     def __init__(self, discussion_controller, thread_id):
         self._discussion_controller = discussion_controller
@@ -179,6 +184,8 @@ class ThreadController(BaseController):
     @utils.AntiSpam.validate('Spambot protection engaged')
     def post(self, **kw):
         require_access(self.thread, 'post')
+        if self.thread.ref:
+            require_access(self.thread.ref.artifact, 'post')
         kw = self.W.edit_post.to_python(kw, None)
         if not kw['text']:
             flash('Your post was not saved. You must provide content.', 'error')
@@ -202,6 +209,8 @@ class ThreadController(BaseController):
     @require_post()
     def tag(self, labels, **kw):
         require_access(self.thread, 'post')
+        if self.thread.ref:
+            require_access(self.thread.ref.artifact, 'post')
         self.thread.labels = labels.split(',')
         redirect(request.referer)
 

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/1045b88c/Allura/allura/tests/functional/test_discuss.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/functional/test_discuss.py b/Allura/allura/tests/functional/test_discuss.py
index 1e3cb13..596cf60 100644
--- a/Allura/allura/tests/functional/test_discuss.py
+++ b/Allura/allura/tests/functional/test_discuss.py
@@ -3,7 +3,6 @@ from mock import patch
 from allura.tests import TestController
 from allura import model as M
 
-
 class TestDiscuss(TestController):
 
     def test_subscribe_unsubscribe(self):
@@ -94,6 +93,32 @@ class TestDiscuss(TestController):
         self.app.post(permalinks[1]+'moderate', params=dict(delete='delete'))
         self.app.post(permalinks[0]+'moderate', params=dict(spam='spam'))
 
+    def test_permissions(self):
+        home = self.app.get('/wiki/_discuss/')
+        thread_url = [ a for a in home.html.findAll('a')
+                 if 'thread' in a['href'] ][0]['href']
+        thread_id = thread_url.rstrip('/').split('/')[-1]
+        thread = M.Thread.query.get(_id=thread_id)
+
+        # ok initially
+        non_admin = 'test-user'
+        self.app.get(thread_url, status=200,
+                     extra_environ=dict(username=non_admin))
+
+        # set wiki page private
+        from forgewiki.model import Page
+        page = Page.query.get(_id=thread.ref.artifact._id)  # need to look up the page directly, so ming is aware of our change
+        role_admin = M.ProjectRole.by_name('Admin')._id
+        page.acl = [
+            M.ACE.allow(role_admin, M.ALL_PERMISSIONS),
+            M.DENY_ALL,
+        ]
+
+        self.app.get(thread_url, status=200, # ok
+                     extra_environ=dict(username='test-admin'))
+        self.app.get(thread_url, status=403, # forbidden
+                     extra_environ=dict(username=non_admin))
+
     def test_moderate(self):
         r = self._make_post('Test post')
         post_link = str(r.html.find('div', {'class': 'edit_post_form reply'}).find('form')['action'])