Mercurial > kallithea
view tox.ini @ 5875:abc1ada59076
notifications: untangle notification access check
This removes a broken permission check when viewing notifications (the
HasRepoPermissionAny object was created, but never actually called with
a repo_name argument as required). It would be non-trivial to actually
implement the check, as notifications don't track their repository
relationship explicitly, and even then, it's unclear why it would
make sense to allow a repository admin to see notifications to
other users.
It was never a vulnerability, due to a subsequent (and much stricter)
ownership check, which remains but has been untangled for readability.
In short, this changeset is a pure refactoring, except that specifying
a non-existent notification ID will now produce error 404, not 403.
author | Søren Løvborg <sorenl@unity3d.com> |
---|---|
date | Tue, 19 Apr 2016 18:03:30 +0200 |
parents | 6a83b399bb3c |
children | b2195895bbd7 |
line wrap: on
line source
[tox] minversion = 1.8 envlist = py{26,27}-pytest [testenv] setenv = PYTHONHASHSEED = 0 deps = pytest: pytest commands = pytest: py.test {posargs}