You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by di...@apache.org on 2021/04/07 13:57:48 UTC
[allura] 01/01: Prevent private projects by disallowing access to
'permissions' page
This is an automated email from the ASF dual-hosted git repository.
dill0wn pushed a commit to branch dw/no_private_projects
in repository https://gitbox.apache.org/repos/asf/allura.git
commit 0f73d4a80349b6054c6e99ce836d1a6b96c69e95
Author: Dillon Walls <di...@slashdotmedia.com>
AuthorDate: Wed Apr 7 13:56:36 2021 +0000
Prevent private projects by disallowing access to 'permissions' page
---
Allura/allura/ext/admin/admin_main.py | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/Allura/allura/ext/admin/admin_main.py b/Allura/allura/ext/admin/admin_main.py
index 26380b2..7ef8842 100644
--- a/Allura/allura/ext/admin/admin_main.py
+++ b/Allura/allura/ext/admin/admin_main.py
@@ -43,7 +43,7 @@ from allura.app import Application, DefaultAdminController, SitemapEntry
from allura.lib import helpers as h
from allura import version
from allura import model as M
-from allura.lib.security import has_access, require_access
+from allura.lib.security import has_access, require_access, is_site_admin
from allura.lib.widgets import form_fields as ffw
from allura.lib import exceptions as forge_exc
from allura.lib import plugin
@@ -967,6 +967,13 @@ class ProjectAdminRestController(BaseController):
class PermissionsController(BaseController):
def _check_security(self):
+ # Do not allow access to 'permissions' page for root projects.
+ # Users should use 'groups' instead. This is to prevent creating 'private' projects
+ # - subprojects are still allowed.
+ # - site admins are still allowed.
+ # - tools pages are also still allowed, but are in a different controller
+ if c.project.is_root and not is_site_admin(c.user):
+ redirect('../groups')
require_access(c.project, 'admin')
@with_trailing_slash