Mercurial > kallithea
view .hgignore @ 5875:abc1ada59076
notifications: untangle notification access check
This removes a broken permission check when viewing notifications (the
HasRepoPermissionAny object was created, but never actually called with
a repo_name argument as required). It would be non-trivial to actually
implement the check, as notifications don't track their repository
relationship explicitly, and even then, it's unclear why it would
make sense to allow a repository admin to see notifications to
other users.
It was never a vulnerability, due to a subsequent (and much stricter)
ownership check, which remains but has been untangled for readability.
In short, this changeset is a pure refactoring, except that specifying
a non-existent notification ID will now produce error 404, not 403.
author | Søren Løvborg <sorenl@unity3d.com> |
---|---|
date | Tue, 19 Apr 2016 18:03:30 +0200 |
parents | bfa66e8887d7 |
children | 9358211ee144 |
line wrap: on
line source
syntax: glob *.pyc *.swp *.sqlite *.tox *.egg-info *.egg *.mo .eggs/ tarballcache/ syntax: regexp ^rcextensions ^build ^dist/ ^docs/build/ ^docs/_build/ ^data$ ^kallithea/tests/data$ ^sql_dumps/ ^\.settings$ ^\.project$ ^\.pydevproject$ ^\.coverage$ ^kallithea\.db$ ^test\.db$ ^Kallithea\.egg-info$ ^my\.ini$ ^fabfile.py ^\.idea$ ^\.cache$