You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by jo...@apache.org on 2013/02/28 23:38:16 UTC
[7/20] git commit: [#5647] ticket:279 Don't elevate creator's rights
on private tickets
[#5647] ticket:279 Don't elevate creator's rights on private tickets
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/80488627
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/80488627
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/80488627
Branch: refs/heads/cj/5788
Commit: 8048862787542e7a947b118cf684aaa4ae4bdd4c
Parents: c847237
Author: Igor Bondarenko <je...@gmail.com>
Authored: Thu Feb 21 16:03:09 2013 +0000
Committer: Cory Johns <jo...@geek.net>
Committed: Wed Feb 27 18:52:17 2013 +0000
----------------------------------------------------------------------
ForgeTracker/forgetracker/model/ticket.py | 4 ++-
.../forgetracker/tests/functional/test_root.py | 28 +++++++++++++++
2 files changed, 31 insertions(+), 1 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/80488627/ForgeTracker/forgetracker/model/ticket.py
----------------------------------------------------------------------
diff --git a/ForgeTracker/forgetracker/model/ticket.py b/ForgeTracker/forgetracker/model/ticket.py
index d98f72a..b01782a 100644
--- a/ForgeTracker/forgetracker/model/ticket.py
+++ b/ForgeTracker/forgetracker/model/ticket.py
@@ -413,7 +413,9 @@ class Ticket(VersionedArtifact, ActivityObject, VotableArtifact):
role_creator = self.reported_by.project_role()._id
self.acl = [
ACE.allow(role_developer, ALL_PERMISSIONS),
- ACE.allow(role_creator, ALL_PERMISSIONS),
+ ACE.allow(role_creator, 'read'),
+ ACE.allow(role_creator, 'post'),
+ ACE.allow(role_creator, 'unmoderated_post'),
DENY_ALL]
else:
self.acl = []
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/80488627/ForgeTracker/forgetracker/tests/functional/test_root.py
----------------------------------------------------------------------
diff --git a/ForgeTracker/forgetracker/tests/functional/test_root.py b/ForgeTracker/forgetracker/tests/functional/test_root.py
index 1b67a61..3d038f9 100644
--- a/ForgeTracker/forgetracker/tests/functional/test_root.py
+++ b/ForgeTracker/forgetracker/tests/functional/test_root.py
@@ -1084,6 +1084,34 @@ class TestFunctionalController(TrackerTestController):
a = r.html.find('a', {'class': 'edit_ticket'})
assert a.text == 'Edit'
+ def test_ticket_creator_cant_edit_private_ticket_without_update_perm(self):
+ p = M.Project.query.get(shortname='test')
+ tracker = p.app_instance('bugs')
+ # authenticated user has 'create' permission, but not 'update'
+ role = M.ProjectRole.by_name('*authenticated')._id
+ create_permission = M.ACE.allow(role, 'create')
+ update_permission = M.ACE.allow(role, 'update')
+ acl = tracker.config.acl
+ acl.append(create_permission)
+ if update_permission in acl:
+ acl.remove(update_permission)
+ # test-user creates private ticket
+ env = {'username': 'test-user'}
+ post_data = {
+ 'ticket_form.summary': 'Private ticket title',
+ 'ticket_form.private': True
+ }
+ self.app.post('/bugs/save_ticket', post_data, extra_environ=env)
+ # ... and can see it
+ r = self.app.get('/bugs/1/', extra_environ=env)
+ assert 'Private ticket title' in r
+ assert '<label class="simple">Private:</label> Yes' in r, 'Ticket is not private'
+ # ... and can't see 'Edit' link
+ assert r.html.find('a', {'class': 'edit_ticket'}) is None, "Found 'Edit' link"
+ # ... and can't actually edit it
+ self.app.post('/bugs/1/update_ticket', {'summary': 'should fail'},
+ extra_environ=env, status=403)
+
def test_imported_tickets_redirect(self):
self.new_ticket(summary='Imported ticket')
ticket = tm.Ticket.query.get(ticket_num=1)