Mercurial > kallithea

changeset 5402:7570d6665f0f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
pullrequests: don't ignore attempts at changing status without permission - just reject them
author Mads Kiilerich <madski@unity3d.com>
date Mon, 17 Aug 2015 01:11:42 +0200
parents 11bc459d010b
children 4eb390c2d2bd
files kallithea/controllers/pullrequests.py
diffstat 1 files changed, 29 insertions(+), 22 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/controllers/pullrequests.py	Mon Aug 17 01:11:42 2015 +0200
+++ b/kallithea/controllers/pullrequests.py	Mon Aug 17 01:11:42 2015 +0200
@@ -701,12 +701,21 @@
     def comment(self, repo_name, pull_request_id):
         pull_request = PullRequest.get_or_404(pull_request_id)
 
-        status = 0
-        close_pr = False
+        status = request.POST.get('changeset_status')
+        close_pr = request.POST.get('save_close')
+        f_path = request.POST.get('f_path')
+        line_no = request.POST.get('line')
+
+        if (status or close_pr) and (f_path or line_no):
+            # status votes and closing is only possible in general comments
+            raise HTTPBadRequest()
+
         allowed_to_change_status = self._get_is_allowed_change_status(pull_request)
-        if allowed_to_change_status:
-            status = request.POST.get('changeset_status')
-            close_pr = request.POST.get('save_close')
+        if not allowed_to_change_status:
+            if status or close_pr:
+                h.flash(_('No permission to change pull request status'), 'error')
+                raise HTTPForbidden()
+
         text = request.POST.get('text', '').strip()
         if close_pr:
             text = _('Closing.') + '\n' + text
@@ -716,8 +725,8 @@
             repo=c.db_repo.repo_id,
             user=c.authuser.user_id,
             pull_request=pull_request_id,
-            f_path=request.POST.get('f_path'),
-            line_no=request.POST.get('line'),
+            f_path=f_path,
+            line_no=line_no,
             status_change=(ChangesetStatus.get_status_lbl(status)
                            if status and allowed_to_change_status else None),
             closing_pr=close_pr
@@ -727,22 +736,20 @@
                       'user_commented_pull_request:%s' % pull_request_id,
                       c.db_repo, self.ip_addr, self.sa)
 
-        if allowed_to_change_status:
-            # get status if set !
-            if status:
-                ChangesetStatusModel().set_status(
-                    c.db_repo.repo_id,
-                    status,
-                    c.authuser.user_id,
-                    comment,
-                    pull_request=pull_request_id
-                )
+        if status:
+            ChangesetStatusModel().set_status(
+                c.db_repo.repo_id,
+                status,
+                c.authuser.user_id,
+                comment,
+                pull_request=pull_request_id
+            )
 
-            if close_pr:
-                PullRequestModel().close_pull_request(pull_request_id)
-                action_logger(self.authuser,
-                              'user_closed_pull_request:%s' % pull_request_id,
-                              c.db_repo, self.ip_addr, self.sa)
+        if close_pr:
+            PullRequestModel().close_pull_request(pull_request_id)
+            action_logger(self.authuser,
+                          'user_closed_pull_request:%s' % pull_request_id,
+                          c.db_repo, self.ip_addr, self.sa)
 
         Session().commit()