You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by ke...@apache.org on 2018/02/21 16:57:27 UTC
[1/2] allura git commit: [#4841] Prevents anonymous users from
editing other anon comments, including their own.
Repository: allura
Updated Branches:
refs/heads/kt/4841 [created] 8b2b4f07c
[#4841] Prevents anonymous users from editing other anon comments, including their own.
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/8e445ced
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/8e445ced
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/8e445ced
Branch: refs/heads/kt/4841
Commit: 8e445ced1e573a404541d9a45f06d26887a51674
Parents: 8e9eb0e
Author: Kenton Taylor <kt...@slashdotmedia.com>
Authored: Wed Feb 21 11:45:20 2018 -0500
Committer: Kenton Taylor <kt...@slashdotmedia.com>
Committed: Wed Feb 21 11:45:20 2018 -0500
----------------------------------------------------------------------
Allura/allura/app.py | 2 +-
Allura/allura/model/discuss.py | 5 +-
.../tests/functional/test_forum.py | 17 +++++
.../033-change-comment-anon-permissions.py | 75 ++++++++++++++++++++
4 files changed, 96 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/8e445ced/Allura/allura/app.py
----------------------------------------------------------------------
diff --git a/Allura/allura/app.py b/Allura/allura/app.py
index 8db59dd..07b67d8 100644
--- a/Allura/allura/app.py
+++ b/Allura/allura/app.py
@@ -271,7 +271,7 @@ class Application(object):
permissions_desc = {
'unmoderated_post': 'Post comments without moderation.',
'post': 'Post comments, subject to moderation.',
- 'moderate': 'Moderate comments.',
+ 'moderate': 'Approve and edit all comments.',
'configure': 'Set label and options. Requires admin permission.',
'admin': 'Set permissions.',
}
http://git-wip-us.apache.org/repos/asf/allura/blob/8e445ced/Allura/allura/model/discuss.py
----------------------------------------------------------------------
diff --git a/Allura/allura/model/discuss.py b/Allura/allura/model/discuss.py
index aff6607..32cf68e 100644
--- a/Allura/allura/model/discuss.py
+++ b/Allura/allura/model/discuss.py
@@ -726,8 +726,9 @@ class Post(Message, VersionedArtifact, ActivityObject):
author = self.author()
author_role = ProjectRole.by_user(
author, project=self.project, upsert=True)
- security.simple_grant(
- self.acl, author_role._id, 'moderate')
+ if not author.is_anonymous():
+ security.simple_grant(
+ self.acl, author_role._id, 'moderate')
self.commit()
if (c.app.config.options.get('PostingPolicy') == 'ApproveOnceModerated'
and author._id != None):
http://git-wip-us.apache.org/repos/asf/allura/blob/8e445ced/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py
----------------------------------------------------------------------
diff --git a/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py b/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py
index 7a55965..3f20911 100644
--- a/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py
+++ b/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py
@@ -523,6 +523,7 @@ class TestForum(TestController):
assert 'name="delete"' not in r
assert 'name="approve"' not in r
assert 'name="spam"' not in r
+ assert "Post content" not in r
assert_equal(spam_checker.check.call_args[0][0], 'Test Thread\nPost content')
# assert unapproved thread replies do not appear
@@ -559,6 +560,22 @@ class TestForum(TestController):
link = '<a href="%s">[%s]</a>' % (post2.thread.url() + '?limit=25#' + post2.slug, post2.shorthand_id())
assert link in r, link
+ # approve posts
+ r = self.app.post('/discussion/testforum/moderate/save_moderation', params={
+ 'post-0._id': post._id,
+ 'post-0.checked': 'on',
+ 'approve': 'Approve Marked'})
+ post = FM.ForumPost.query.get(text='Post content')
+
+ # assert anon can't edit their original post
+ r = self.app.get(thread.request.url,
+ extra_environ=dict(username='*anonymous'))
+ assert 'Post content' in r
+ post_container = r.html.find('div', {'id': post.slug})
+ btn_edit = post_container.find('a', {'title': 'Edit'})
+ assert not btn_edit
+
+
@td.with_tool('test2', 'Discussion', 'discussion')
@mock.patch('allura.model.discuss.g.spam_checker')
def test_is_spam(self, spam_checker):
http://git-wip-us.apache.org/repos/asf/allura/blob/8e445ced/scripts/migrations/033-change-comment-anon-permissions.py
----------------------------------------------------------------------
diff --git a/scripts/migrations/033-change-comment-anon-permissions.py b/scripts/migrations/033-change-comment-anon-permissions.py
new file mode 100644
index 0000000..9ef14ce
--- /dev/null
+++ b/scripts/migrations/033-change-comment-anon-permissions.py
@@ -0,0 +1,75 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+import sys
+import logging
+from ming.orm import ThreadLocalORMSession, session
+from pylons import tmpl_context as c
+from allura import model as M
+from forgediscussion.model import ForumPost
+from allura.lib import utils, security
+from argparse import ArgumentParser, ArgumentDefaultsHelpFormatter, ArgumentTypeError
+
+
+
+
+log = logging.getLogger(__name__)
+
+
+def add(acl, role):
+ if role not in acl:
+ acl.append(role)
+
+# migration script for change write permission to create + update
+
+
+def arguments():
+ parser = ArgumentParser(description="Args for changing anon comment permissions",
+ formatter_class=ArgumentDefaultsHelpFormatter, )
+ parser.add_argument('shortname', help="shortname of project to change perms on")
+ parser.add_argument('toolname', help="toolname to change perms on")
+
+ args = parser.parse_args()
+ return args
+
+
+def main():
+ args = arguments()
+
+ c.project = None # to avoid error in Artifact.__mongometa__.before_save
+ project = M.Project.query.get(shortname=args.shortname)
+ tool = project.app_config_by_tool_type(args.toolname)
+
+ for chunk in utils.chunked_find(ForumPost, {'app_config_id':tool._id}):
+ for p in chunk:
+ has_access = bool(security.has_access(p, 'moderate', M.User.anonymous()))
+ print "{} has access? {}".format(p.text, has_access)
+
+ if has_access:
+ anon_role_id = None
+ for acl in p.acl:
+ # find the anon moderate acl
+ if acl.permission == 'moderate' and acl.access=='ALLOW':
+ anon_role_id = acl.role_id
+
+ if anon_role_id:
+ security.simple_revoke(p.acl, anon_role_id, 'moderate')
+ session(p).flush(p)
+
+
+if __name__ == '__main__':
+ main()
[2/2] allura git commit: fixup! [#4841] Prevents anonymous users from
editing other anon comments, including their own.
Posted by ke...@apache.org.
fixup! [#4841] Prevents anonymous users from editing other anon comments, including their own.
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/8b2b4f07
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/8b2b4f07
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/8b2b4f07
Branch: refs/heads/kt/4841
Commit: 8b2b4f07c24156a5174ac812ad70c9e73402d5cd
Parents: 8e445ce
Author: Kenton Taylor <kt...@slashdotmedia.com>
Authored: Wed Feb 21 11:50:22 2018 -0500
Committer: Kenton Taylor <kt...@slashdotmedia.com>
Committed: Wed Feb 21 11:50:22 2018 -0500
----------------------------------------------------------------------
Allura/allura/model/discuss.py | 2 +-
.../033-change-comment-anon-permissions.py | 15 +++------------
2 files changed, 4 insertions(+), 13 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/8b2b4f07/Allura/allura/model/discuss.py
----------------------------------------------------------------------
diff --git a/Allura/allura/model/discuss.py b/Allura/allura/model/discuss.py
index 32cf68e..4e3d51b 100644
--- a/Allura/allura/model/discuss.py
+++ b/Allura/allura/model/discuss.py
@@ -726,7 +726,7 @@ class Post(Message, VersionedArtifact, ActivityObject):
author = self.author()
author_role = ProjectRole.by_user(
author, project=self.project, upsert=True)
- if not author.is_anonymous():
+ if True or not author.is_anonymous():
security.simple_grant(
self.acl, author_role._id, 'moderate')
self.commit()
http://git-wip-us.apache.org/repos/asf/allura/blob/8b2b4f07/scripts/migrations/033-change-comment-anon-permissions.py
----------------------------------------------------------------------
diff --git a/scripts/migrations/033-change-comment-anon-permissions.py b/scripts/migrations/033-change-comment-anon-permissions.py
index 9ef14ce..b5a710c 100644
--- a/scripts/migrations/033-change-comment-anon-permissions.py
+++ b/scripts/migrations/033-change-comment-anon-permissions.py
@@ -25,18 +25,9 @@ from allura.lib import utils, security
from argparse import ArgumentParser, ArgumentDefaultsHelpFormatter, ArgumentTypeError
-
-
log = logging.getLogger(__name__)
-def add(acl, role):
- if role not in acl:
- acl.append(role)
-
-# migration script for change write permission to create + update
-
-
def arguments():
parser = ArgumentParser(description="Args for changing anon comment permissions",
formatter_class=ArgumentDefaultsHelpFormatter, )
@@ -53,11 +44,10 @@ def main():
c.project = None # to avoid error in Artifact.__mongometa__.before_save
project = M.Project.query.get(shortname=args.shortname)
tool = project.app_config_by_tool_type(args.toolname)
-
+
for chunk in utils.chunked_find(ForumPost, {'app_config_id':tool._id}):
for p in chunk:
has_access = bool(security.has_access(p, 'moderate', M.User.anonymous()))
- print "{} has access? {}".format(p.text, has_access)
if has_access:
anon_role_id = None
@@ -67,9 +57,10 @@ def main():
anon_role_id = acl.role_id
if anon_role_id:
+ print "revoking anon moderate privelege for '{}'".format(p._id)
security.simple_revoke(p.acl, anon_role_id, 'moderate')
session(p).flush(p)
-
+
if __name__ == '__main__':
main()