# HG changeset patch # User Mads Kiilerich # Date 1357131404 -3600 # Node ID a45191e7c7bb7db9a55d4b8275103bc1a0ed390a # Parent 105a0374faa191792807d4b9aaa289f7224945a8 access control: fix owner checks - they were always true The lambda expressions seems to be left over from something else. They were no longer executed and thus always evaluated to true. Some of the functions also failed if they were executed. diff -r 105a0374faa1 -r a45191e7c7bb rhodecode/controllers/admin/notifications.py --- a/rhodecode/controllers/admin/notifications.py Wed Jan 02 13:56:40 2013 +0100 +++ b/rhodecode/controllers/admin/notifications.py Wed Jan 02 13:56:44 2013 +0100 @@ -110,8 +110,8 @@ # url('notification', notification_id=ID) try: no = Notification.get(notification_id) - owner = lambda: (no.notifications_to_users.user.user_id - == c.rhodecode_user.user_id) + owner = all(un.user.user_id == c.rhodecode_user.user_id + for un in no.notifications_to_users) if h.HasPermissionAny('hg.admin')() or owner: NotificationModel().mark_read(c.rhodecode_user.user_id, no) Session().commit() @@ -132,8 +132,8 @@ try: no = Notification.get(notification_id) - owner = lambda: (no.notifications_to_users.user.user_id - == c.rhodecode_user.user_id) + owner = all(un.user.user_id == c.rhodecode_user.user_id + for un in no.notifications_to_users) if h.HasPermissionAny('hg.admin')() or owner: NotificationModel().delete(c.rhodecode_user.user_id, no) Session().commit() @@ -149,8 +149,8 @@ c.user = self.rhodecode_user no = Notification.get(notification_id) - owner = lambda: (no.notifications_to_users.user.user_id - == c.user.user_id) + owner = all(un.user.user_id == c.rhodecode_user.user_id + for un in no.notifications_to_users) if no and (h.HasPermissionAny('hg.admin', 'repository.admin')() or owner): unotification = NotificationModel()\ .get_user_notification(c.user.user_id, no) diff -r 105a0374faa1 -r a45191e7c7bb rhodecode/controllers/changeset.py --- a/rhodecode/controllers/changeset.py Wed Jan 02 13:56:40 2013 +0100 +++ b/rhodecode/controllers/changeset.py Wed Jan 02 13:56:44 2013 +0100 @@ -371,7 +371,7 @@ @jsonify def delete_comment(self, repo_name, comment_id): co = ChangesetComment.get(comment_id) - owner = lambda: co.author.user_id == c.rhodecode_user.user_id + owner = co.author.user_id == c.rhodecode_user.user_id if h.HasPermissionAny('hg.admin', 'repository.admin')() or owner: ChangesetCommentsModel().delete(comment=co) Session().commit() diff -r 105a0374faa1 -r a45191e7c7bb rhodecode/controllers/pullrequests.py --- a/rhodecode/controllers/pullrequests.py Wed Jan 02 13:56:40 2013 +0100 +++ b/rhodecode/controllers/pullrequests.py Wed Jan 02 13:56:44 2013 +0100 @@ -477,7 +477,7 @@ #don't allow deleting comments on closed pull request raise HTTPForbidden() - owner = lambda: co.author.user_id == c.rhodecode_user.user_id + owner = co.author.user_id == c.rhodecode_user.user_id if h.HasPermissionAny('hg.admin', 'repository.admin')() or owner: ChangesetCommentsModel().delete(comment=co) Session().commit() diff -r 105a0374faa1 -r a45191e7c7bb rhodecode/tests/functional/test_admin_notifications.py --- a/rhodecode/tests/functional/test_admin_notifications.py Wed Jan 02 13:56:40 2013 +0100 +++ b/rhodecode/tests/functional/test_admin_notifications.py Wed Jan 02 13:56:44 2013 +0100 @@ -82,6 +82,7 @@ response = self.app.delete(url('notification', notification_id= notification.notification_id)) + self.assertEqual(response.body, 'ok') cur_user = User.get(cur_usr_id) self.assertEqual(cur_user.notifications, [])