You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by br...@apache.org on 2018/01/17 22:31:59 UTC
allura git commit: [#8175] nonexistant wiki pages without permission
now 404; also API security check matches main for deleted now
Repository: allura
Updated Branches:
refs/heads/db/8175 [created] 19f04aca4
[#8175] nonexistant wiki pages without permission now 404; also API security check matches main for deleted now
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/19f04aca
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/19f04aca
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/19f04aca
Branch: refs/heads/db/8175
Commit: 19f04aca420d840f4c4feacae618c1bb485b16fd
Parents: 82b2ab7
Author: Dave Brondsema <da...@brondsema.net>
Authored: Wed Jan 17 17:31:50 2018 -0500
Committer: Dave Brondsema <da...@brondsema.net>
Committed: Wed Jan 17 17:31:50 2018 -0500
----------------------------------------------------------------------
.../forgewiki/tests/functional/test_root.py | 27 ++++++++++++--------
ForgeWiki/forgewiki/wiki_main.py | 7 +++--
2 files changed, 21 insertions(+), 13 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/19f04aca/ForgeWiki/forgewiki/tests/functional/test_root.py
----------------------------------------------------------------------
diff --git a/ForgeWiki/forgewiki/tests/functional/test_root.py b/ForgeWiki/forgewiki/tests/functional/test_root.py
index 5bcb4d5..b157e30 100644
--- a/ForgeWiki/forgewiki/tests/functional/test_root.py
+++ b/ForgeWiki/forgewiki/tests/functional/test_root.py
@@ -57,9 +57,9 @@ class TestRootController(TestController):
assert u'tést' in r
assert 'Create Page' in r
# No 'Create Page' button if user doesn't have 'create' perm
- r = self.app.get(page_url,
- extra_environ=dict(username='*anonymous')).follow()
- assert 'Create Page' not in r
+ r = self.app.get('/wiki/Home',
+ extra_environ=dict(username='*anonymous'))
+ assert 'Create Page' not in r, r
@td.with_wiki
def test_create_wiki_page(self):
@@ -150,14 +150,19 @@ class TestRootController(TestController):
assert div is not None, "Can't find help text"
assert_in('To search for an exact phrase', div.text)
- def test_page_index(self):
- response = self.app.get('/wiki/tést/')
- assert 'tést' in response.follow()
-
- def test_page_edit(self):
- self.app.get('/wiki/tést/index')
- response = self.app.post('/wiki/tést/edit')
- assert 'tést' in response
+ def test_nonexistent_page_edit(self):
+ resp = self.app.get('/wiki/tést/')
+ assert resp.location.endswith(h.urlquote(u'/wiki/tést/edit')), resp.location
+ resp = resp.follow()
+ assert 'tést' in resp
+
+ def test_nonexistent_page_noedit(self):
+ self.app.get('/wiki/tést/',
+ extra_environ=dict(username='*anonymous'),
+ status=404)
+ self.app.get('/wiki/tést/',
+ extra_environ=dict(username='test-user'),
+ status=404)
@patch('forgewiki.wiki_main.g.director.create_activity')
def test_activity(self, create_activity):
http://git-wip-us.apache.org/repos/asf/allura/blob/19f04aca/ForgeWiki/forgewiki/wiki_main.py
----------------------------------------------------------------------
diff --git a/ForgeWiki/forgewiki/wiki_main.py b/ForgeWiki/forgewiki/wiki_main.py
index db1f266..7c55221 100644
--- a/ForgeWiki/forgewiki/wiki_main.py
+++ b/ForgeWiki/forgewiki/wiki_main.py
@@ -529,9 +529,10 @@ class PageController(BaseController, FeedController):
require_access(self.page, 'read')
if self.page.deleted:
require_access(self.page, 'delete')
- else:
- require_access(c.app, 'create')
+ elif has_access(c.app, 'create'):
self.rate_limit()
+ else:
+ raise exc.HTTPNotFound
def rate_limit(self):
if WM.Page.is_limit_exceeded(c.app.config, user=c.user):
@@ -849,6 +850,8 @@ class PageRestController(BaseController):
def _check_security(self):
if self.page:
require_access(self.page, 'read')
+ if self.page.deleted:
+ require_access(self.page, 'delete')
@h.vardec
@expose('json:')