You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by je...@apache.org on 2015/11/20 14:12:08 UTC
allura git commit: [#7997] ticket:863 Hide attachments on unmoderated
posts
Repository: allura
Updated Branches:
refs/heads/ib/7997 [created] 8e36158ab
[#7997] ticket:863 Hide attachments on unmoderated posts
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/8e36158a
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/8e36158a
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/8e36158a
Branch: refs/heads/ib/7997
Commit: 8e36158abf2ccab30d0183f4dcfd5b6acca1856d
Parents: e76eebf
Author: Igor Bondarenko <je...@gmail.com>
Authored: Fri Nov 20 14:16:04 2015 +0200
Committer: Igor Bondarenko <je...@gmail.com>
Committed: Fri Nov 20 14:16:04 2015 +0200
----------------------------------------------------------------------
Allura/allura/controllers/attachments.py | 3 ++
.../allura/templates/widgets/post_widget.html | 8 +++--
Allura/allura/tests/functional/test_discuss.py | 38 ++++++++++++++++++++
3 files changed, 46 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/8e36158a/Allura/allura/controllers/attachments.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/attachments.py b/Allura/allura/controllers/attachments.py
index cf40fee..4260988 100644
--- a/Allura/allura/controllers/attachments.py
+++ b/Allura/allura/controllers/attachments.py
@@ -59,6 +59,9 @@ class AttachmentController(BaseController):
def _check_security(self):
require_access(self.artifact, 'read')
+ status = getattr(self.artifact, 'status', None)
+ if status == 'pending':
+ require_access(self.artifact, 'moderate')
def __init__(self, filename, artifact):
self.filename = filename
http://git-wip-us.apache.org/repos/asf/allura/blob/8e36158a/Allura/allura/templates/widgets/post_widget.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/post_widget.html b/Allura/allura/templates/widgets/post_widget.html
index 7e22dbf..88fa1d1 100644
--- a/Allura/allura/templates/widgets/post_widget.html
+++ b/Allura/allura/templates/widgets/post_widget.html
@@ -41,9 +41,11 @@
<small>{{lib.abbr_date(value.timestamp)}}</small>
</p>
</div>
+ {% set pending = value.status == 'pending' %}
+ {% set moderator = h.has_access(value, 'moderator')() %}
<div class="grid-14" style="width: {{indent == 0 and 525 or (indent <= 40 and 515-indent*10 or 65)}}px">
- <div class="display_post{%if (value.status == 'pending') and h.has_access(value, 'moderate')()%} moderate{%endif%}">
- {% if (value.status == 'pending') and not h.has_access(value, 'moderate')() %}
+ <div class="display_post{% if pending and moderator %} moderate{% endif %}">
+ {% if pending and not moderator %}
<b>Post awaiting moderation.</b>
{% else %}
{% if show_subject %}
@@ -66,7 +68,7 @@
{{widgets.attach_post.display(value=value, action=value.url() + 'attach')}}
</div>
{% endif %}
- {% if value.attachments %}
+ {% if value.attachments and (not pending or moderator) %}
<div>
<strong>Attachments</strong>
<div class="clear"></div>
http://git-wip-us.apache.org/repos/asf/allura/blob/8e36158a/Allura/allura/tests/functional/test_discuss.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/functional/test_discuss.py b/Allura/allura/tests/functional/test_discuss.py
index bea0f95..fb8a08b 100644
--- a/Allura/allura/tests/functional/test_discuss.py
+++ b/Allura/allura/tests/functional/test_discuss.py
@@ -332,3 +332,41 @@ class TestAttachment(TestDiscussBase):
session(post).flush(post)
self.app.get(alink, status=404)
self.app.get(thumblink, status=404)
+
+ def test_unmoderated_post_attachments(self):
+ ordinary_user = {'username': 'test-user'}
+ moderator = {'username': 'test-admin'}
+ # set up attachment
+ f = os.path.join(os.path.dirname(__file__), '..', 'data', 'user.png')
+ with open(f) as f:
+ pic = f.read()
+ self.app.post(
+ self.post_link + 'attach',
+ upload_files=[('file_info', 'user.png', pic)])
+ # ... make sure ordinary user can see it
+ r = self.app.get(self.thread_link, extra_environ=ordinary_user)
+ assert '<div class="attachment_thumb">' in r
+ alink = self.attach_link()
+ thumblink = alink + '/thumb'
+ # ... and access it
+ self.app.get(alink, status=200, extra_environ=ordinary_user)
+ self.app.get(thumblink, status=200, extra_environ=ordinary_user)
+
+ # make post unmoderated
+ _, slug = self.post_link.rstrip('/').rsplit('/', 1)
+ post = M.Post.query.get(slug=slug)
+ assert post, 'Could not find post for {} {}'.format(slug, self.post_link)
+ post.status = 'pending'
+ session(post).flush(post)
+ # ... make sure attachment is not visible to ordinary user
+ r = self.app.get(self.thread_link, extra_environ=ordinary_user)
+ assert '<div class="attachment_thumb">' not in r, 'Attachment is visible on unmoderated post'
+ # ... but visible to moderator
+ r = self.app.get(self.thread_link, extra_environ=moderator)
+ assert '<div class="attachment_thumb">' in r
+ # ... and ordinary user can't access it
+ self.app.get(alink, status=403, extra_environ=ordinary_user)
+ self.app.get(thumblink, status=403, extra_environ=ordinary_user)
+ # ... but moderator can
+ self.app.get(alink, status=200, extra_environ=moderator)
+ self.app.get(thumblink, status=200, extra_environ=moderator)