##// END OF EJS Templates
auth: don't expose full set of permissions into channelstream payload....
auth: don't expose full set of permissions into channelstream payload. This leads to resource discovery security vulnerability

File last commit:

r1812:7d0f908d default
r2194:90609677 stable
Show More
notifications.py
157 lines | 5.8 KiB | text/x-python | PythonLexer
project: added all source files and assets
r1 # -*- coding: utf-8 -*-
license: updated copyright year to 2017
r1271 # Copyright (C) 2010-2017 RhodeCode GmbH
project: added all source files and assets
r1 #
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License, version 3
# (only), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# This program is dual-licensed. If you wish to learn more about the
# RhodeCode Enterprise Edition, including its added features, Support services,
# and proprietary license terms, please see https://rhodecode.com/licenses/
"""
notifications controller for RhodeCode
"""
import logging
import traceback
from pylons import request
from pylons import tmpl_context as c, url
from pylons.controllers.util import redirect, abort
import webhelpers.paginate
from webob.exc import HTTPBadRequest
from rhodecode.lib import auth
from rhodecode.lib.auth import LoginRequired, NotAnonymous
from rhodecode.lib.base import BaseController, render
from rhodecode.lib import helpers as h
from rhodecode.lib.helpers import Page
from rhodecode.lib.utils2 import safe_int
from rhodecode.model.db import Notification
from rhodecode.model.notification import NotificationModel
from rhodecode.model.meta import Session
log = logging.getLogger(__name__)
class NotificationsController(BaseController):
"""REST Controller styled on the Atom Publishing Protocol"""
@LoginRequired()
@NotAnonymous()
def __before__(self):
super(NotificationsController, self).__before__()
def index(self):
"""GET /_admin/notifications: All items in the collection"""
# url('notifications')
c.user = c.rhodecode_user
notifications: fixed problem with 500 errors on non-numeric...
r1812 notif = NotificationModel().get_for_user(
c.rhodecode_user.user_id, filter_=request.GET.getall('type'))
project: added all source files and assets
r1
p = safe_int(request.GET.get('page', 1), 1)
notifications_url = webhelpers.paginate.PageURL(
url('notifications'), request.GET)
c.notifications = Page(notif, page=p, items_per_page=10,
url=notifications_url)
c.pull_request_type = Notification.TYPE_PULL_REQUEST
c.comment_type = [Notification.TYPE_CHANGESET_COMMENT,
Notification.TYPE_PULL_REQUEST_COMMENT]
_current_filter = request.GET.getall('type')
c.current_filter = 'all'
if _current_filter == [c.pull_request_type]:
c.current_filter = 'pull_request'
elif _current_filter == c.comment_type:
c.current_filter = 'comment'
if request.is_xhr:
templating: use .mako as extensions for template files.
r1282 return render('admin/notifications/notifications_data.mako')
project: added all source files and assets
r1
templating: use .mako as extensions for template files.
r1282 return render('admin/notifications/notifications.mako')
project: added all source files and assets
r1
@auth.CSRFRequired()
def mark_all_read(self):
if request.is_xhr:
nm = NotificationModel()
# mark all read
nm.mark_all_read_for_user(c.rhodecode_user.user_id,
filter_=request.GET.getall('type'))
Session().commit()
c.user = c.rhodecode_user
notif = nm.get_for_user(c.rhodecode_user.user_id,
filter_=request.GET.getall('type'))
notifications_url = webhelpers.paginate.PageURL(
url('notifications'), request.GET)
c.notifications = Page(notif, page=1, items_per_page=10,
url=notifications_url)
templating: use .mako as extensions for template files.
r1282 return render('admin/notifications/notifications_data.mako')
project: added all source files and assets
r1
def _has_permissions(self, notification):
def is_owner():
user_id = c.rhodecode_user.user_id
for user_notification in notification.notifications_to_users:
if user_notification.user.user_id == user_id:
return True
return False
return h.HasPermissionAny('hg.admin')() or is_owner()
@auth.CSRFRequired()
def update(self, notification_id):
notifications: fixed problem with 500 errors on non-numeric...
r1812 no = Notification.get_or_404(notification_id)
project: added all source files and assets
r1 try:
if self._has_permissions(no):
# deletes only notification2user
NotificationModel().mark_read(c.rhodecode_user.user_id, no)
Session().commit()
return 'ok'
except Exception:
Session().rollback()
log.exception("Exception updating a notification item")
raise HTTPBadRequest()
@auth.CSRFRequired()
def delete(self, notification_id):
notifications: fixed problem with 500 errors on non-numeric...
r1812 no = Notification.get_or_404(notification_id)
project: added all source files and assets
r1 try:
if self._has_permissions(no):
# deletes only notification2user
NotificationModel().delete(c.rhodecode_user.user_id, no)
Session().commit()
return 'ok'
except Exception:
Session().rollback()
log.exception("Exception deleting a notification item")
raise HTTPBadRequest()
def show(self, notification_id):
c.user = c.rhodecode_user
notifications: fixed problem with 500 errors on non-numeric...
r1812 no = Notification.get_or_404(notification_id)
project: added all source files and assets
r1
if no and self._has_permissions(no):
unotification = NotificationModel()\
.get_user_notification(c.user.user_id, no)
# if this association to user is not valid, we don't want to show
# this message
if unotification:
if not unotification.read:
unotification.mark_as_read()
Session().commit()
c.notification = no
templating: use .mako as extensions for template files.
r1282 return render('admin/notifications/show_notification.mako')
project: added all source files and assets
r1
return abort(403)