Mercurial > kallithea
changeset 2176:162bf5c978f8 beta
fixed missing permissions check on forks page
| author | Marcin Kuzminski <marcin@python-works.com> |
|---|---|
| date | Thu, 29 Mar 2012 21:21:29 +0200 |
| parents | b61b7e266b39 |
| children | ee07357d9265 |
| files | docs/changelog.rst rhodecode/controllers/forks.py rhodecode/tests/functional/test_forks.py |
| diffstat | 3 files changed, 63 insertions(+), 9 deletions(-) [+] |
line wrap: on
line diff
--- a/docs/changelog.rst Thu Mar 29 16:22:26 2012 +0200 +++ b/docs/changelog.rst Thu Mar 29 21:21:29 2012 +0200 @@ -19,6 +19,7 @@ +++++ - fixed dev-version marker for stable when served from source codes +- fixed missing permission checks on show forks page 1.3.4 (**2012-03-28**) ----------------------
--- a/rhodecode/controllers/forks.py Thu Mar 29 16:22:26 2012 +0200 +++ b/rhodecode/controllers/forks.py Thu Mar 29 21:21:29 2012 +0200 @@ -35,7 +35,7 @@ from rhodecode.lib.helpers import Page from rhodecode.lib.auth import LoginRequired, HasRepoPermissionAnyDecorator, \ - NotAnonymous + NotAnonymous, HasRepoPermissionAny from rhodecode.lib.base import BaseRepoController, render from rhodecode.model.db import Repository, RepoGroup, UserFollowing, User from rhodecode.model.repo import RepoModel @@ -103,7 +103,13 @@ def forks(self, repo_name): p = int(request.params.get('page', 1)) repo_id = c.rhodecode_db_repo.repo_id - d = Repository.get_repo_forks(repo_id) + d = [] + for r in Repository.get_repo_forks(repo_id): + if not HasRepoPermissionAny( + 'repository.read', 'repository.write', 'repository.admin' + )(r.repo_name, 'get forks check'): + continue + d.append(r) c.forks_pager = Page(d, page=p, items_per_page=20) c.forks_data = render('/forks/forks_data.html')
--- a/rhodecode/tests/functional/test_forks.py Thu Mar 29 16:22:26 2012 +0200 +++ b/rhodecode/tests/functional/test_forks.py Thu Mar 29 21:21:29 2012 +0200 @@ -1,9 +1,25 @@ from rhodecode.tests import * from rhodecode.model.db import Repository +from rhodecode.model.repo import RepoModel +from rhodecode.model.user import UserModel + class TestForksController(TestController): + def setUp(self): + self.username = u'forkuser' + self.password = u'qweqwe' + self.u1 = UserModel().create_or_update( + username=self.username, password=self.password, + email=u'fork_king@rhodecode.org', name=u'u1', lastname=u'u1' + ) + self.Session.commit() + + def tearDown(self): + self.Session.delete(self.u1) + self.Session.commit() + def test_index(self): self.log_user() repo_name = HG_REPO @@ -12,7 +28,6 @@ self.assertTrue("""There are no forks yet""" in response.body) - def test_index_with_fork(self): self.log_user() @@ -34,7 +49,6 @@ response = self.app.get(url(controller='forks', action='forks', repo_name=repo_name)) - self.assertTrue("""<a href="/%s/summary">""" """vcs_test_hg_fork</a>""" % fork_name in response.body) @@ -42,9 +56,6 @@ #remove this fork response = self.app.delete(url('repo', repo_name=fork_name)) - - - def test_z_fork_create(self): self.log_user() fork_name = HG_FORK @@ -71,11 +82,9 @@ self.assertEqual(fork_repo.repo_name, fork_name) self.assertEqual(fork_repo.fork.repo_name, repo_name) - #test if fork is visible in the list ? response = response.follow() - # check if fork is marked as fork # wait for cache to expire import time @@ -84,3 +93,41 @@ repo_name=fork_name)) self.assertTrue('Fork of %s' % repo_name in response.body) + + def test_zz_fork_permission_page(self): + usr = self.log_user(self.username, self.password)['user_id'] + repo_name = HG_REPO + + forks = self.Session.query(Repository)\ + .filter(Repository.fork_id != None)\ + .all() + self.assertEqual(1, len(forks)) + + # set read permissions for this + RepoModel().grant_user_permission(repo=forks[0], + user=usr, + perm='repository.read') + self.Session.commit() + + response = self.app.get(url(controller='forks', action='forks', + repo_name=repo_name)) + + response.mustcontain('<div style="padding:5px 3px 3px 42px;">fork of vcs test</div>') + + def test_zzz_fork_permission_page(self): + usr = self.log_user(self.username, self.password)['user_id'] + repo_name = HG_REPO + + forks = self.Session.query(Repository)\ + .filter(Repository.fork_id != None)\ + .all() + self.assertEqual(1, len(forks)) + + # set none + RepoModel().grant_user_permission(repo=forks[0], + user=usr, perm='repository.none') + self.Session.commit() + # fork shouldn't be there + response = self.app.get(url(controller='forks', action='forks', + repo_name=repo_name)) + response.mustcontain('There are no forks yet')