Mercurial > kallithea
changeset 3141:a45191e7c7bb beta
access control: fix owner checks - they were always true
The lambda expressions seems to be left over from something else. They were no
longer executed and thus always evaluated to true.
Some of the functions also failed if they were executed.
| author | Mads Kiilerich <madski@unity3d.com> |
|---|---|
| date | Wed, 02 Jan 2013 13:56:44 +0100 |
| parents | 105a0374faa1 |
| children | 1e7839c0930a |
| files | rhodecode/controllers/admin/notifications.py rhodecode/controllers/changeset.py rhodecode/controllers/pullrequests.py rhodecode/tests/functional/test_admin_notifications.py |
| diffstat | 4 files changed, 9 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/rhodecode/controllers/admin/notifications.py Wed Jan 02 13:56:40 2013 +0100 +++ b/rhodecode/controllers/admin/notifications.py Wed Jan 02 13:56:44 2013 +0100 @@ -110,8 +110,8 @@ # url('notification', notification_id=ID) try: no = Notification.get(notification_id) - owner = lambda: (no.notifications_to_users.user.user_id - == c.rhodecode_user.user_id) + owner = all(un.user.user_id == c.rhodecode_user.user_id + for un in no.notifications_to_users) if h.HasPermissionAny('hg.admin')() or owner: NotificationModel().mark_read(c.rhodecode_user.user_id, no) Session().commit() @@ -132,8 +132,8 @@ try: no = Notification.get(notification_id) - owner = lambda: (no.notifications_to_users.user.user_id - == c.rhodecode_user.user_id) + owner = all(un.user.user_id == c.rhodecode_user.user_id + for un in no.notifications_to_users) if h.HasPermissionAny('hg.admin')() or owner: NotificationModel().delete(c.rhodecode_user.user_id, no) Session().commit() @@ -149,8 +149,8 @@ c.user = self.rhodecode_user no = Notification.get(notification_id) - owner = lambda: (no.notifications_to_users.user.user_id - == c.user.user_id) + owner = all(un.user.user_id == c.rhodecode_user.user_id + for un in no.notifications_to_users) if no and (h.HasPermissionAny('hg.admin', 'repository.admin')() or owner): unotification = NotificationModel()\ .get_user_notification(c.user.user_id, no)
--- a/rhodecode/controllers/changeset.py Wed Jan 02 13:56:40 2013 +0100 +++ b/rhodecode/controllers/changeset.py Wed Jan 02 13:56:44 2013 +0100 @@ -371,7 +371,7 @@ @jsonify def delete_comment(self, repo_name, comment_id): co = ChangesetComment.get(comment_id) - owner = lambda: co.author.user_id == c.rhodecode_user.user_id + owner = co.author.user_id == c.rhodecode_user.user_id if h.HasPermissionAny('hg.admin', 'repository.admin')() or owner: ChangesetCommentsModel().delete(comment=co) Session().commit()
--- a/rhodecode/controllers/pullrequests.py Wed Jan 02 13:56:40 2013 +0100 +++ b/rhodecode/controllers/pullrequests.py Wed Jan 02 13:56:44 2013 +0100 @@ -477,7 +477,7 @@ #don't allow deleting comments on closed pull request raise HTTPForbidden() - owner = lambda: co.author.user_id == c.rhodecode_user.user_id + owner = co.author.user_id == c.rhodecode_user.user_id if h.HasPermissionAny('hg.admin', 'repository.admin')() or owner: ChangesetCommentsModel().delete(comment=co) Session().commit()
--- a/rhodecode/tests/functional/test_admin_notifications.py Wed Jan 02 13:56:40 2013 +0100 +++ b/rhodecode/tests/functional/test_admin_notifications.py Wed Jan 02 13:56:44 2013 +0100 @@ -82,6 +82,7 @@ response = self.app.delete(url('notification', notification_id= notification.notification_id)) + self.assertEqual(response.body, 'ok') cur_user = User.get(cur_usr_id) self.assertEqual(cur_user.notifications, [])