You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by jo...@apache.org on 2013/03/01 16:58:05 UTC
[2/24] git commit: [#5887] check artifact security on
_discuss/thread/ URLs
[#5887] check artifact security on _discuss/thread/ URLs
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/1045b88c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/1045b88c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/1045b88c
Branch: refs/heads/cj/5411
Commit: 1045b88c1cf4280750109bef41bb06de3b849b15
Parents: c1413ea
Author: Dave Brondsema <db...@geek.net>
Authored: Tue Feb 26 21:03:29 2013 +0000
Committer: Dave Brondsema <db...@geek.net>
Committed: Tue Feb 26 21:03:29 2013 +0000
----------------------------------------------------------------------
Allura/allura/controllers/discuss.py | 9 ++++++
Allura/allura/tests/functional/test_discuss.py | 27 ++++++++++++++++++-
2 files changed, 35 insertions(+), 1 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/1045b88c/Allura/allura/controllers/discuss.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/discuss.py b/Allura/allura/controllers/discuss.py
index 577440e..4d7b3ec 100644
--- a/Allura/allura/controllers/discuss.py
+++ b/Allura/allura/controllers/discuss.py
@@ -1,5 +1,6 @@
from urllib import unquote
from datetime import datetime
+import logging
from tg import expose, redirect, validate, request, response, flash
from tg.decorators import before_validate, with_trailing_slash, without_trailing_slash
@@ -21,6 +22,8 @@ from allura.lib.helpers import DateTimeConverter
from allura.lib.widgets import discuss as DW
from .attachments import AttachmentsController, AttachmentController
+log = logging.getLogger(__name__)
+
class pass_validator(object):
def validate(self, v, s):
return v
@@ -144,6 +147,8 @@ class ThreadController(BaseController):
def _check_security(self):
require_access(self.thread, 'read')
+ if self.thread.ref:
+ require_access(self.thread.ref.artifact, 'read')
def __init__(self, discussion_controller, thread_id):
self._discussion_controller = discussion_controller
@@ -179,6 +184,8 @@ class ThreadController(BaseController):
@utils.AntiSpam.validate('Spambot protection engaged')
def post(self, **kw):
require_access(self.thread, 'post')
+ if self.thread.ref:
+ require_access(self.thread.ref.artifact, 'post')
kw = self.W.edit_post.to_python(kw, None)
if not kw['text']:
flash('Your post was not saved. You must provide content.', 'error')
@@ -202,6 +209,8 @@ class ThreadController(BaseController):
@require_post()
def tag(self, labels, **kw):
require_access(self.thread, 'post')
+ if self.thread.ref:
+ require_access(self.thread.ref.artifact, 'post')
self.thread.labels = labels.split(',')
redirect(request.referer)
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/1045b88c/Allura/allura/tests/functional/test_discuss.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/functional/test_discuss.py b/Allura/allura/tests/functional/test_discuss.py
index 1e3cb13..596cf60 100644
--- a/Allura/allura/tests/functional/test_discuss.py
+++ b/Allura/allura/tests/functional/test_discuss.py
@@ -3,7 +3,6 @@ from mock import patch
from allura.tests import TestController
from allura import model as M
-
class TestDiscuss(TestController):
def test_subscribe_unsubscribe(self):
@@ -94,6 +93,32 @@ class TestDiscuss(TestController):
self.app.post(permalinks[1]+'moderate', params=dict(delete='delete'))
self.app.post(permalinks[0]+'moderate', params=dict(spam='spam'))
+ def test_permissions(self):
+ home = self.app.get('/wiki/_discuss/')
+ thread_url = [ a for a in home.html.findAll('a')
+ if 'thread' in a['href'] ][0]['href']
+ thread_id = thread_url.rstrip('/').split('/')[-1]
+ thread = M.Thread.query.get(_id=thread_id)
+
+ # ok initially
+ non_admin = 'test-user'
+ self.app.get(thread_url, status=200,
+ extra_environ=dict(username=non_admin))
+
+ # set wiki page private
+ from forgewiki.model import Page
+ page = Page.query.get(_id=thread.ref.artifact._id) # need to look up the page directly, so ming is aware of our change
+ role_admin = M.ProjectRole.by_name('Admin')._id
+ page.acl = [
+ M.ACE.allow(role_admin, M.ALL_PERMISSIONS),
+ M.DENY_ALL,
+ ]
+
+ self.app.get(thread_url, status=200, # ok
+ extra_environ=dict(username='test-admin'))
+ self.app.get(thread_url, status=403, # forbidden
+ extra_environ=dict(username=non_admin))
+
def test_moderate(self):
r = self._make_post('Test post')
post_link = str(r.html.find('div', {'class': 'edit_post_form reply'}).find('form')['action'])