Mercurial > kallithea
view .travis.yml @ 5875:abc1ada59076
notifications: untangle notification access check
This removes a broken permission check when viewing notifications (the
HasRepoPermissionAny object was created, but never actually called with
a repo_name argument as required). It would be non-trivial to actually
implement the check, as notifications don't track their repository
relationship explicitly, and even then, it's unclear why it would
make sense to allow a repository admin to see notifications to
other users.
It was never a vulnerability, due to a subsequent (and much stricter)
ownership check, which remains but has been untangled for readability.
In short, this changeset is a pure refactoring, except that specifying
a non-existent notification ID will now produce error 404, not 403.
author | Søren Løvborg <sorenl@unity3d.com> |
---|---|
date | Tue, 19 Apr 2016 18:03:30 +0200 |
parents | a9a1560dad79 |
children | e285bb7abb28 |
line wrap: on
line source
language: python python: - "2.6" - "2.7" env: - TEST_DB=sqlite:////tmp/kallithea_test.sqlite - TEST_DB=mysql://root@127.0.0.1/kallithea_test - TEST_DB=postgresql://postgres@127.0.0.1/kallithea_test services: - mysql - postgresql # command to install dependencies before_script: - mysql -e 'create database kallithea_test;' - psql -c 'create database kallithea_test;' -U postgres - git --version before_install: - sudo apt-get remove git - sudo add-apt-repository ppa:pdoes/ppa -y - sudo apt-get update -y - sudo apt-get install git -y install: - pip install mysql-python psycopg2 mock unittest2 - pip install . --use-mirrors # command to run tests script: nosetests notifications: email: - ci@kallithea-scm.org irc: "irc.freenode.org#kallithea" branches: only: - master