# HG changeset patch # User Marcin Kuzminski # Date 1348398293 -7200 # Node ID 5c1ad3b410e54f73d580eefc20dbff2d75188928 # Parent 6f3452fa4ffe4735c73e4b9d408458722de1a501 fixed #570 explicit users group permissions can overwrite owner permissions - added test for that case diff -r 6f3452fa4ffe -r 5c1ad3b410e5 docs/changelog.rst --- a/docs/changelog.rst Sun Sep 23 13:04:02 2012 +0200 +++ b/docs/changelog.rst Sun Sep 23 13:04:53 2012 +0200 @@ -15,10 +15,13 @@ ++++ - #558 Added config file to hooks extra data +- bumbped mercurial version to 2.3.1 fixes +++++ +- fixed #570 explicit users group permissions can overwrite owner permissions + 1.4.2 (**2012-09-12**) ---------------------- diff -r 6f3452fa4ffe -r 5c1ad3b410e5 rhodecode/model/user.py --- a/rhodecode/model/user.py Sun Sep 23 13:04:02 2012 +0200 +++ b/rhodecode/model/user.py Sun Sep 23 13:04:53 2012 +0200 @@ -524,8 +524,12 @@ p = perm.Permission.permission_name cur_perm = user.permissions[RK][r_k] # overwrite permission only if it's greater than permission - # given from other sources + # given from other sources - disabled with `or 1` now if PERM_WEIGHTS[p] > PERM_WEIGHTS[cur_perm] or 1: # disable check + if perm.Repository.user_id == uid: + # set admin if owner + p = 'repository.admin' + user.permissions[RK][r_k] = p # user explicit permissions for repositories diff -r 6f3452fa4ffe -r 5c1ad3b410e5 rhodecode/tests/models/test_permissions.py --- a/rhodecode/tests/models/test_permissions.py Sun Sep 23 13:04:02 2012 +0200 +++ b/rhodecode/tests/models/test_permissions.py Sun Sep 23 13:04:53 2012 +0200 @@ -10,7 +10,7 @@ from rhodecode.model.meta import Session from rhodecode.model.users_group import UsersGroupModel from rhodecode.lib.auth import AuthUser - +from rhodecode.tests.api.api_base import create_repo class TestPermissions(unittest.TestCase): @@ -40,6 +40,7 @@ def tearDown(self): if hasattr(self, 'test_repo'): RepoModel().delete(repo=self.test_repo) + UserModel().delete(self.u1) UserModel().delete(self.u2) UserModel().delete(self.u3) @@ -425,3 +426,47 @@ set(['hg.create.repository', 'hg.fork.repository', 'hg.register.manual_activate', 'repository.read'])) + + def test_owner_permissions_doesnot_get_overwritten_by_group(self): + #create repo as USER, + self.test_repo = repo = RepoModel().create_repo(repo_name='myownrepo', + repo_type='hg', + description='desc', + owner=self.u1) + + Session().commit() + #he has permissions of admin as owner + u1_auth = AuthUser(user_id=self.u1.user_id) + self.assertEqual(u1_auth.permissions['repositories']['myownrepo'], + 'repository.admin') + #set his permission as users group, he should still be admin + self.ug1 = UsersGroupModel().create('G1') + # add user to group + UsersGroupModel().add_user_to_group(self.ug1, self.u1) + RepoModel().grant_users_group_permission(repo, group_name=self.ug1, + perm='repository.none') + + Session().commit() + u1_auth = AuthUser(user_id=self.u1.user_id) + self.assertEqual(u1_auth.permissions['repositories']['myownrepo'], + 'repository.admin') + + def test_owner_permissions_doesnot_get_overwritten_by_others(self): + #create repo as USER, + self.test_repo = repo = RepoModel().create_repo(repo_name='myownrepo', + repo_type='hg', + description='desc', + owner=self.u1) + + Session().commit() + #he has permissions of admin as owner + u1_auth = AuthUser(user_id=self.u1.user_id) + self.assertEqual(u1_auth.permissions['repositories']['myownrepo'], + 'repository.admin') + #set his permission as user, he should still be admin + RepoModel().grant_user_permission(repo, user=self.u1, + perm='repository.none') + Session().commit() + u1_auth = AuthUser(user_id=self.u1.user_id) + self.assertEqual(u1_auth.permissions['repositories']['myownrepo'], + 'repository.admin')