diff options
author | Mads Kiilerich <madski@unity3d.com> | 2013-01-02 13:56:44 +0100 |
---|---|---|
committer | Mads Kiilerich <madski@unity3d.com> | 2013-01-02 13:56:44 +0100 |
commit | d25c1ed1c3ebca272620c85d1c34acdcf15e122e (patch) | |
tree | 637b67fcc29305b238243c5a0a934067f0749c45 | |
parent | deb92c486d79da4908fc5e81ebf54ba20e977a0e (diff) |
access control: fix owner checks - they were always true
The lambda expressions seems to be left over from something else. They were no
longer executed and thus always evaluated to true.
Some of the functions also failed if they were executed.
--HG--
branch : beta
-rw-r--r-- | rhodecode/controllers/admin/notifications.py | 12 | ||||
-rw-r--r-- | rhodecode/controllers/changeset.py | 2 | ||||
-rw-r--r-- | rhodecode/controllers/pullrequests.py | 2 | ||||
-rw-r--r-- | rhodecode/tests/functional/test_admin_notifications.py | 1 |
4 files changed, 9 insertions, 8 deletions
diff --git a/rhodecode/controllers/admin/notifications.py b/rhodecode/controllers/admin/notifications.py index 90cfd69b..221aa00b 100644 --- a/rhodecode/controllers/admin/notifications.py +++ b/rhodecode/controllers/admin/notifications.py @@ -110,8 +110,8 @@ class NotificationsController(BaseController): # url('notification', notification_id=ID) try: no = Notification.get(notification_id) - owner = lambda: (no.notifications_to_users.user.user_id - == c.rhodecode_user.user_id) + owner = all(un.user.user_id == c.rhodecode_user.user_id + for un in no.notifications_to_users) if h.HasPermissionAny('hg.admin')() or owner: NotificationModel().mark_read(c.rhodecode_user.user_id, no) Session().commit() @@ -132,8 +132,8 @@ class NotificationsController(BaseController): try: no = Notification.get(notification_id) - owner = lambda: (no.notifications_to_users.user.user_id - == c.rhodecode_user.user_id) + owner = all(un.user.user_id == c.rhodecode_user.user_id + for un in no.notifications_to_users) if h.HasPermissionAny('hg.admin')() or owner: NotificationModel().delete(c.rhodecode_user.user_id, no) Session().commit() @@ -149,8 +149,8 @@ class NotificationsController(BaseController): c.user = self.rhodecode_user no = Notification.get(notification_id) - owner = lambda: (no.notifications_to_users.user.user_id - == c.user.user_id) + owner = all(un.user.user_id == c.rhodecode_user.user_id + for un in no.notifications_to_users) if no and (h.HasPermissionAny('hg.admin', 'repository.admin')() or owner): unotification = NotificationModel()\ .get_user_notification(c.user.user_id, no) diff --git a/rhodecode/controllers/changeset.py b/rhodecode/controllers/changeset.py index 68a21d37..32076a00 100644 --- a/rhodecode/controllers/changeset.py +++ b/rhodecode/controllers/changeset.py @@ -371,7 +371,7 @@ class ChangesetController(BaseRepoController): @jsonify def delete_comment(self, repo_name, comment_id): co = ChangesetComment.get(comment_id) - owner = lambda: co.author.user_id == c.rhodecode_user.user_id + owner = co.author.user_id == c.rhodecode_user.user_id if h.HasPermissionAny('hg.admin', 'repository.admin')() or owner: ChangesetCommentsModel().delete(comment=co) Session().commit() diff --git a/rhodecode/controllers/pullrequests.py b/rhodecode/controllers/pullrequests.py index 6225cbcc..fffbd520 100644 --- a/rhodecode/controllers/pullrequests.py +++ b/rhodecode/controllers/pullrequests.py @@ -477,7 +477,7 @@ class PullrequestsController(BaseRepoController): #don't allow deleting comments on closed pull request raise HTTPForbidden() - owner = lambda: co.author.user_id == c.rhodecode_user.user_id + owner = co.author.user_id == c.rhodecode_user.user_id if h.HasPermissionAny('hg.admin', 'repository.admin')() or owner: ChangesetCommentsModel().delete(comment=co) Session().commit() diff --git a/rhodecode/tests/functional/test_admin_notifications.py b/rhodecode/tests/functional/test_admin_notifications.py index 66431a68..05ead3b2 100644 --- a/rhodecode/tests/functional/test_admin_notifications.py +++ b/rhodecode/tests/functional/test_admin_notifications.py @@ -82,6 +82,7 @@ class TestNotificationsController(TestController): response = self.app.delete(url('notification', notification_id= notification.notification_id)) + self.assertEqual(response.body, 'ok') cur_user = User.get(cur_usr_id) self.assertEqual(cur_user.notifications, []) |