You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by br...@apache.org on 2014/09/24 16:26:32 UTC
[1/2] git commit: [#7560] ticket:630 Avoid anonymous permissions for
private tickets
Repository: allura
Updated Branches:
refs/heads/master 6a45c32bd -> da263158c
[#7560] ticket:630 Avoid anonymous permissions for private tickets
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/60ca822a
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/60ca822a
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/60ca822a
Branch: refs/heads/master
Commit: 60ca822a1f1abb0e1ec42ad360bfc7d20f650d84
Parents: 6a45c32
Author: discort <le...@bk.ru>
Authored: Sun Aug 17 13:05:29 2014 +0300
Committer: Dave Brondsema <db...@slashdotmedia.com>
Committed: Wed Sep 24 13:38:14 2014 +0000
----------------------------------------------------------------------
Allura/allura/lib/validators.py | 11 +++++++++++
Allura/allura/tests/test_validators.py | 16 ++++++++++++++++
ForgeTracker/forgetracker/model/ticket.py | 8 +++++---
ForgeTracker/forgetracker/widgets/ticket_form.py | 6 ++++--
4 files changed, 36 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/60ca822a/Allura/allura/lib/validators.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/validators.py b/Allura/allura/lib/validators.py
index 5f8256f..344af39 100644
--- a/Allura/allura/lib/validators.py
+++ b/Allura/allura/lib/validators.py
@@ -189,6 +189,17 @@ class UserValidator(fev.FancyValidator):
return user
+class AnonymousValidator(fev.FancyValidator):
+
+ def _to_python(self, value, state):
+ from allura.model import User
+ if value:
+ if c.user == User.anonymous():
+ raise fe.Invalid('Log in to Mark as Private', value, state)
+ else:
+ return value
+
+
class PathValidator(fev.FancyValidator):
def _to_python(self, value, state):
http://git-wip-us.apache.org/repos/asf/allura/blob/60ca822a/Allura/allura/tests/test_validators.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/test_validators.py b/Allura/allura/tests/test_validators.py
index e0b4f2c..f50b8f7 100644
--- a/Allura/allura/tests/test_validators.py
+++ b/Allura/allura/tests/test_validators.py
@@ -97,6 +97,22 @@ class TestUserValidator(unittest.TestCase):
self.assertEqual(str(cm.exception), "Invalid username")
+class TestAnonymousValidator(unittest.TestCase):
+ val = v.AnonymousValidator
+
+ @patch('allura.lib.validators.c')
+ def test_valid(self, c):
+ c.user = M.User.by_username('root')
+ self.assertEqual(True, self.val.to_python(True))
+
+ @patch('allura.lib.validators.c')
+ def test_invalid(self, c):
+ c.user = M.User.anonymous()
+ with self.assertRaises(fe.Invalid) as cm:
+ self.val.to_python(True)
+ self.assertEqual(str(cm.exception), "Log in to Mark as Private")
+
+
class TestMountPointValidator(unittest.TestCase):
@patch('allura.lib.validators.c')
http://git-wip-us.apache.org/repos/asf/allura/blob/60ca822a/ForgeTracker/forgetracker/model/ticket.py
----------------------------------------------------------------------
diff --git a/ForgeTracker/forgetracker/model/ticket.py b/ForgeTracker/forgetracker/model/ticket.py
index 8e7c859..8218ec7 100644
--- a/ForgeTracker/forgetracker/model/ticket.py
+++ b/ForgeTracker/forgetracker/model/ticket.py
@@ -818,9 +818,11 @@ class Ticket(VersionedArtifact, ActivityObject, VotableArtifact):
ACE.allow(role._id, perm) for perm in perms]
# maintain existing access for developers and the ticket creator,
# but revoke all access for everyone else
- self.acl = _allow_all(role_developer, security.all_allowed(self, role_developer)) \
- + _allow_all(role_creator, security.all_allowed(self, role_creator)) \
- + [DENY_ALL]
+ acl = _allow_all(role_developer, security.all_allowed(self, role_developer))
+ if role_creator != ProjectRole.anonymous():
+ acl += _allow_all(role_creator, security.all_allowed(self, role_creator))
+ acl += [DENY_ALL]
+ self.acl = acl
else:
self.acl = []
private = property(_get_private, _set_private)
http://git-wip-us.apache.org/repos/asf/allura/blob/60ca822a/ForgeTracker/forgetracker/widgets/ticket_form.py
----------------------------------------------------------------------
diff --git a/ForgeTracker/forgetracker/widgets/ticket_form.py b/ForgeTracker/forgetracker/widgets/ticket_form.py
index 677dd2a..4248b38 100644
--- a/ForgeTracker/forgetracker/widgets/ticket_form.py
+++ b/ForgeTracker/forgetracker/widgets/ticket_form.py
@@ -17,6 +17,7 @@
from pylons import tmpl_context as c
from formencode import validators as fev
+from webhelpers.html.builder import literal
import ew as ew_core
import ew.jinja2_ew as ew
@@ -24,6 +25,7 @@ import ew.jinja2_ew as ew
from allura import model as M
from allura.lib.widgets import form_fields as ffw
from allura.lib import helpers as h
+from allura.lib import validators as v
class TicketCustomFields(ew.CompoundField):
@@ -76,8 +78,7 @@ class GenericTicketForm(ew.SimpleForm):
display = field.display(**ctx)
if ctx['errors'] and field.show_errors and not ignore_errors:
- display = "%s<div class='error'>%s</div>" % (display,
- ctx['errors'])
+ display += literal("<div class='error'>{0}</div>".format(ctx['errors']))
return display
def _add_current_value_to_user_field(self, field, user):
@@ -114,6 +115,7 @@ class GenericTicketForm(ew.SimpleForm):
ffw.LabelEdit(label='Labels', name='labels',
className='ticket_form_tags'),
ew.Checkbox(name='private', label='Mark as Private',
+ validator=v.AnonymousValidator(),
attrs={'class': 'unlabeled'}),
ew.InputField(name='attachment', label='Attachment', field_type='file', attrs={
'multiple': 'True'}, validator=fev.FieldStorageUploadConverter(if_missing=None)),
[2/2] git commit: [#7560] better HTML construction to avoid injection
attacks, in case error message might have user-entered text
Posted by br...@apache.org.
[#7560] better HTML construction to avoid injection attacks, in case error message might have user-entered text
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/da263158
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/da263158
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/da263158
Branch: refs/heads/master
Commit: da263158c5bc889ef173b99d8a0acb162bd14d4f
Parents: 60ca822
Author: Dave Brondsema <db...@slashdotmedia.com>
Authored: Wed Sep 24 14:15:19 2014 +0000
Committer: Dave Brondsema <db...@slashdotmedia.com>
Committed: Wed Sep 24 14:15:19 2014 +0000
----------------------------------------------------------------------
ForgeTracker/forgetracker/widgets/ticket_form.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/da263158/ForgeTracker/forgetracker/widgets/ticket_form.py
----------------------------------------------------------------------
diff --git a/ForgeTracker/forgetracker/widgets/ticket_form.py b/ForgeTracker/forgetracker/widgets/ticket_form.py
index 4248b38..0ac3973 100644
--- a/ForgeTracker/forgetracker/widgets/ticket_form.py
+++ b/ForgeTracker/forgetracker/widgets/ticket_form.py
@@ -78,7 +78,7 @@ class GenericTicketForm(ew.SimpleForm):
display = field.display(**ctx)
if ctx['errors'] and field.show_errors and not ignore_errors:
- display += literal("<div class='error'>{0}</div>".format(ctx['errors']))
+ display += literal("<div class='error'>") + ctx['errors'] + literal("</div>")
return display
def _add_current_value_to_user_field(self, field, user):