Mercurial > kallithea
changeset 3428:edb9a42def31 beta
fix to strict permission check on notification messages
author | Marcin Kuzminski <marcin@python-works.com> |
---|---|
date | Sat, 02 Mar 2013 20:35:49 +0100 |
parents | d77d9ff149b1 |
children | fba8b977bed8 |
files | rhodecode/controllers/admin/notifications.py |
diffstat | 1 files changed, 6 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/rhodecode/controllers/admin/notifications.py Sat Mar 02 20:25:14 2013 +0100 +++ b/rhodecode/controllers/admin/notifications.py Sat Mar 02 20:35:49 2013 +0100 @@ -28,7 +28,7 @@ from pylons import request from pylons import tmpl_context as c, url -from pylons.controllers.util import redirect +from pylons.controllers.util import redirect, abort from webhelpers.paginate import Page @@ -117,7 +117,7 @@ Session().commit() return 'ok' except Exception: - Session.rollback() + Session().rollback() log.error(traceback.format_exc()) return 'fail' @@ -139,7 +139,7 @@ Session().commit() return 'ok' except Exception: - Session.rollback() + Session().rollback() log.error(traceback.format_exc()) return 'fail' @@ -149,8 +149,9 @@ c.user = self.rhodecode_user no = Notification.get(notification_id) - owner = all(un.user.user_id == c.rhodecode_user.user_id + owner = any(un.user.user_id == c.rhodecode_user.user_id for un in no.notifications_to_users) + if no and (h.HasPermissionAny('hg.admin', 'repository.admin')() or owner): unotification = NotificationModel()\ .get_user_notification(c.user.user_id, no) @@ -165,7 +166,7 @@ return render('admin/notifications/show_notification.html') - return redirect(url('notifications')) + return abort(403) def edit(self, notification_id, format='html'): """GET /_admin/notifications/id/edit: Form to edit an existing item"""