##// END OF EJS Templates
comment-history: block viewing any comment history by narrowing to specific repository which we already have permissions to.
marcink -
r4406:11f8a530 default
parent child Browse files
Show More
@@ -435,17 +435,24 b' class RepoCommitsView(RepoAppView):'
435 route_name='repo_commit_comment_history_view', request_method='POST',
435 route_name='repo_commit_comment_history_view', request_method='POST',
436 renderer='string', xhr=True)
436 renderer='string', xhr=True)
437 def repo_commit_comment_history_view(self):
437 def repo_commit_comment_history_view(self):
438 commit_id = self.request.matchdict['commit_id']
438 c = self.load_default_context()
439
439 comment_history_id = self.request.matchdict['comment_history_id']
440 comment_history_id = self.request.matchdict['comment_history_id']
440 comment_history = ChangesetCommentHistory.get_or_404(comment_history_id)
441 comment_history = ChangesetCommentHistory.get_or_404(comment_history_id)
441 c = self.load_default_context()
442 is_repo_comment = comment_history.comment.repo.repo_id == self.db_repo.repo_id
442 c.comment_history = comment_history
443
444 if is_repo_comment:
445 c.comment_history = comment_history
443
446
444 rendered_comment = render(
447 rendered_comment = render(
445 'rhodecode:templates/changeset/comment_history.mako',
448 'rhodecode:templates/changeset/comment_history.mako',
446 self._get_template_context(c)
449 self._get_template_context(c)
447 , self.request)
450 , self.request)
448 return rendered_comment
451 return rendered_comment
452 else:
453 log.warning('No permissions for user %s to show comment_history_id: %s',
454 self._rhodecode_db_user, comment_history_id)
455 raise HTTPNotFound()
449
456
450 @LoginRequired()
457 @LoginRequired()
451 @NotAnonymous()
458 @NotAnonymous()
@@ -567,7 +574,7 b' class RepoCommitsView(RepoAppView):'
567 is_repo_admin = h.HasRepoPermissionAny('repository.admin')(self.db_repo_name)
574 is_repo_admin = h.HasRepoPermissionAny('repository.admin')(self.db_repo_name)
568 super_admin = h.HasPermissionAny('hg.admin')()
575 super_admin = h.HasPermissionAny('hg.admin')()
569 comment_owner = (comment.author.user_id == self._rhodecode_db_user.user_id)
576 comment_owner = (comment.author.user_id == self._rhodecode_db_user.user_id)
570 is_repo_comment = comment.repo.repo_name == self.db_repo_name
577 is_repo_comment = comment.repo.repo_id == self.db_repo.repo_id
571 comment_repo_admin = is_repo_admin and is_repo_comment
578 comment_repo_admin = is_repo_admin and is_repo_comment
572
579
573 if super_admin or comment_owner or comment_repo_admin:
580 if super_admin or comment_owner or comment_repo_admin:
@@ -588,9 +595,7 b' class RepoCommitsView(RepoAppView):'
588 route_name='repo_commit_comment_edit', request_method='POST',
595 route_name='repo_commit_comment_edit', request_method='POST',
589 renderer='json_ext')
596 renderer='json_ext')
590 def repo_commit_comment_edit(self):
597 def repo_commit_comment_edit(self):
591 commit_id = self.request.matchdict['commit_id']
592 comment_id = self.request.matchdict['comment_id']
598 comment_id = self.request.matchdict['comment_id']
593
594 comment = ChangesetComment.get_or_404(comment_id)
599 comment = ChangesetComment.get_or_404(comment_id)
595
600
596 if comment.immutable:
601 if comment.immutable:
@@ -600,7 +605,7 b' class RepoCommitsView(RepoAppView):'
600 is_repo_admin = h.HasRepoPermissionAny('repository.admin')(self.db_repo_name)
605 is_repo_admin = h.HasRepoPermissionAny('repository.admin')(self.db_repo_name)
601 super_admin = h.HasPermissionAny('hg.admin')()
606 super_admin = h.HasPermissionAny('hg.admin')()
602 comment_owner = (comment.author.user_id == self._rhodecode_db_user.user_id)
607 comment_owner = (comment.author.user_id == self._rhodecode_db_user.user_id)
603 is_repo_comment = comment.repo.repo_name == self.db_repo_name
608 is_repo_comment = comment.repo.repo_id == self.db_repo.repo_id
604 comment_repo_admin = is_repo_admin and is_repo_comment
609 comment_repo_admin = is_repo_admin and is_repo_comment
605
610
606 if super_admin or comment_owner or comment_repo_admin:
611 if super_admin or comment_owner or comment_repo_admin:
General Comments 0
You need to be logged in to leave comments. Login now