You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by br...@apache.org on 2021/04/08 14:38:45 UTC
[allura] branch master updated: Prevent private projects by
disallowing access to 'permissions' page
This is an automated email from the ASF dual-hosted git repository.
brondsem pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git
The following commit(s) were added to refs/heads/master by this push:
new 7e37745 Prevent private projects by disallowing access to 'permissions' page
7e37745 is described below
commit 7e377458de6487d38d96c31517df3b4d83e2e782
Author: Dillon Walls <di...@slashdotmedia.com>
AuthorDate: Wed Apr 7 13:56:36 2021 +0000
Prevent private projects by disallowing access to 'permissions' page
---
Allura/allura/ext/admin/admin_main.py | 8 +++++++-
Allura/allura/tests/functional/test_admin.py | 20 ++------------------
2 files changed, 9 insertions(+), 19 deletions(-)
diff --git a/Allura/allura/ext/admin/admin_main.py b/Allura/allura/ext/admin/admin_main.py
index 26380b2..ae55943 100644
--- a/Allura/allura/ext/admin/admin_main.py
+++ b/Allura/allura/ext/admin/admin_main.py
@@ -43,7 +43,7 @@ from allura.app import Application, DefaultAdminController, SitemapEntry
from allura.lib import helpers as h
from allura import version
from allura import model as M
-from allura.lib.security import has_access, require_access
+from allura.lib.security import has_access, require_access, is_site_admin
from allura.lib.widgets import form_fields as ffw
from allura.lib import exceptions as forge_exc
from allura.lib import plugin
@@ -967,6 +967,12 @@ class ProjectAdminRestController(BaseController):
class PermissionsController(BaseController):
def _check_security(self):
+ # Do not allow access to 'permissions' page for root projects.
+ # Users should use 'groups' instead. This is to prevent creating 'private' projects
+ # - subprojects are still allowed.
+ # - tools pages are also still allowed, but are in a different controller
+ if c.project.is_root:
+ redirect('../groups')
require_access(c.project, 'admin')
@with_trailing_slash
diff --git a/Allura/allura/tests/functional/test_admin.py b/Allura/allura/tests/functional/test_admin.py
index 0115bd9..75abc0e 100644
--- a/Allura/allura/tests/functional/test_admin.py
+++ b/Allura/allura/tests/functional/test_admin.py
@@ -608,24 +608,8 @@ class TestProjectAdmin(TestController):
'card-0.id': 'admin'})
def test_project_permissions(self):
- r = self.app.get('/admin/permissions/')
- assert len(r.html.findAll('input', {'name': 'card-0.value'})) == 1
- select = r.html.find('select', {'name': 'card-0.new'})
- opt_admin = select.find(text='Admin').parent
- opt_developer = select.find(text='Developer').parent
- assert opt_admin.name == 'option'
- assert opt_developer.name == 'option'
- with audits('updated "admin" permissions: "Admin" => "Admin,Developer"'):
- r = self.app.post('/admin/permissions/update', params={
- 'card-0.new': opt_developer['value'],
- 'card-0.value': opt_admin['value'],
- 'card-0.id': 'admin'})
- r = self.app.get('/admin/permissions/')
- assigned_ids = [t['value']
- for t in r.html.findAll('input', {'name': 'card-0.value'})]
- assert len(assigned_ids) == 2
- assert opt_developer['value'] in assigned_ids
- assert opt_admin['value'] in assigned_ids
+ r = self.app.get('/admin/permissions/', status=302)
+ assert_in('/admin/groups', r.location)
def test_subproject_permissions(self):
with audits('create subproject test-subproject'):