[allura] branch master updated: Prevent private projects by disallowing access to 'permissions' page

[br...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

brondsem pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git


The following commit(s) were added to refs/heads/master by this push:
     new 7e37745  Prevent private projects by disallowing access to 'permissions' page
7e37745 is described below

commit 7e377458de6487d38d96c31517df3b4d83e2e782
Author: Dillon Walls <di...@slashdotmedia.com>
AuthorDate: Wed Apr 7 13:56:36 2021 +0000

    Prevent private projects by disallowing access to 'permissions' page
---
 Allura/allura/ext/admin/admin_main.py        |  8 +++++++-
 Allura/allura/tests/functional/test_admin.py | 20 ++------------------
 2 files changed, 9 insertions(+), 19 deletions(-)

diff --git a/Allura/allura/ext/admin/admin_main.py b/Allura/allura/ext/admin/admin_main.py
index 26380b2..ae55943 100644
--- a/Allura/allura/ext/admin/admin_main.py
+++ b/Allura/allura/ext/admin/admin_main.py
@@ -43,7 +43,7 @@ from allura.app import Application, DefaultAdminController, SitemapEntry
 from allura.lib import helpers as h
 from allura import version
 from allura import model as M
-from allura.lib.security import has_access, require_access
+from allura.lib.security import has_access, require_access, is_site_admin
 from allura.lib.widgets import form_fields as ffw
 from allura.lib import exceptions as forge_exc
 from allura.lib import plugin
@@ -967,6 +967,12 @@ class ProjectAdminRestController(BaseController):
 
 class PermissionsController(BaseController):
     def _check_security(self):
+        # Do not allow access to 'permissions' page for root projects.
+        # Users should use 'groups' instead. This is to prevent creating 'private' projects
+        #  - subprojects are still allowed.
+        #  - tools pages are also still allowed, but are in a different controller
+        if c.project.is_root:
+            redirect('../groups')
         require_access(c.project, 'admin')
 
     @with_trailing_slash
diff --git a/Allura/allura/tests/functional/test_admin.py b/Allura/allura/tests/functional/test_admin.py
index 0115bd9..75abc0e 100644
--- a/Allura/allura/tests/functional/test_admin.py
+++ b/Allura/allura/tests/functional/test_admin.py
@@ -608,24 +608,8 @@ class TestProjectAdmin(TestController):
                 'card-0.id': 'admin'})
 
     def test_project_permissions(self):
-        r = self.app.get('/admin/permissions/')
-        assert len(r.html.findAll('input', {'name': 'card-0.value'})) == 1
-        select = r.html.find('select', {'name': 'card-0.new'})
-        opt_admin = select.find(text='Admin').parent
-        opt_developer = select.find(text='Developer').parent
-        assert opt_admin.name == 'option'
-        assert opt_developer.name == 'option'
-        with audits('updated "admin" permissions: "Admin" => "Admin,Developer"'):
-            r = self.app.post('/admin/permissions/update', params={
-                'card-0.new': opt_developer['value'],
-                'card-0.value': opt_admin['value'],
-                'card-0.id': 'admin'})
-        r = self.app.get('/admin/permissions/')
-        assigned_ids = [t['value']
-                        for t in r.html.findAll('input', {'name': 'card-0.value'})]
-        assert len(assigned_ids) == 2
-        assert opt_developer['value'] in assigned_ids
-        assert opt_admin['value'] in assigned_ids
+        r = self.app.get('/admin/permissions/', status=302)
+        assert_in('/admin/groups', r.location)
 
     def test_subproject_permissions(self):
         with audits('create subproject test-subproject'):