Mercurial > kallithea
view setup.cfg @ 5875:abc1ada59076
notifications: untangle notification access check
This removes a broken permission check when viewing notifications (the
HasRepoPermissionAny object was created, but never actually called with
a repo_name argument as required). It would be non-trivial to actually
implement the check, as notifications don't track their repository
relationship explicitly, and even then, it's unclear why it would
make sense to allow a repository admin to see notifications to
other users.
It was never a vulnerability, due to a subsequent (and much stricter)
ownership check, which remains but has been untangled for readability.
In short, this changeset is a pure refactoring, except that specifying
a non-existent notification ID will now produce error 404, not 403.
author | Søren Løvborg <sorenl@unity3d.com> |
---|---|
date | Tue, 19 Apr 2016 18:03:30 +0200 |
parents | d88077fae3d6 |
children | 0a2d85671b59 |
line wrap: on
line source
[egg_info] tag_build = tag_svn_revision = 0 tag_date = 0 [aliases] test = pytest [compile_catalog] domain = kallithea directory = kallithea/i18n statistics = true [extract_messages] add_comments = TRANSLATORS: output_file = kallithea/i18n/kallithea.pot msgid-bugs-address = translations@kallithea-scm.org copyright-holder = Various authors, licensing as GPLv3 no-wrap = true [init_catalog] domain = kallithea input_file = kallithea/i18n/kallithea.pot output_dir = kallithea/i18n [update_catalog] domain = kallithea input_file = kallithea/i18n/kallithea.pot output_dir = kallithea/i18n previous = true [build_sphinx] source-dir = docs/ build-dir = docs/_build all_files = 1 [upload_sphinx] upload-dir = docs/_build/html