##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
comment-history: block viewing any comment history by narrowing to specific repository which we already have permissions to.
marcink -
r4406:11f8a530 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -435,17 +435,24 b' class RepoCommitsView(RepoAppView):'
435 435 route_name='repo_commit_comment_history_view', request_method='POST',
436 436 renderer='string', xhr=True)
437 437 def repo_commit_comment_history_view(self):
438 commit_id = self.request.matchdict['commit_id']
438 c = self.load_default_context()
439
439 440 comment_history_id = self.request.matchdict['comment_history_id']
440 441 comment_history = ChangesetCommentHistory.get_or_404(comment_history_id)
441 c = self.load_default_context()
442 c.comment_history = comment_history
442 is_repo_comment = comment_history.comment.repo.repo_id == self.db_repo.repo_id
443
444 if is_repo_comment:
445 c.comment_history = comment_history
443 446
444 rendered_comment = render(
445 'rhodecode:templates/changeset/comment_history.mako',
446 self._get_template_context(c)
447 , self.request)
448 return rendered_comment
447 rendered_comment = render(
448 'rhodecode:templates/changeset/comment_history.mako',
449 self._get_template_context(c)
450 , self.request)
451 return rendered_comment
452 else:
453 log.warning('No permissions for user %s to show comment_history_id: %s',
454 self._rhodecode_db_user, comment_history_id)
455 raise HTTPNotFound()
449 456
450 457 @LoginRequired()
451 458 @NotAnonymous()
@@ -567,7 +574,7 b' class RepoCommitsView(RepoAppView):'
567 574 is_repo_admin = h.HasRepoPermissionAny('repository.admin')(self.db_repo_name)
568 575 super_admin = h.HasPermissionAny('hg.admin')()
569 576 comment_owner = (comment.author.user_id == self._rhodecode_db_user.user_id)
570 is_repo_comment = comment.repo.repo_name == self.db_repo_name
577 is_repo_comment = comment.repo.repo_id == self.db_repo.repo_id
571 578 comment_repo_admin = is_repo_admin and is_repo_comment
572 579
573 580 if super_admin or comment_owner or comment_repo_admin:
@@ -588,9 +595,7 b' class RepoCommitsView(RepoAppView):'
588 595 route_name='repo_commit_comment_edit', request_method='POST',
589 596 renderer='json_ext')
590 597 def repo_commit_comment_edit(self):
591 commit_id = self.request.matchdict['commit_id']
592 598 comment_id = self.request.matchdict['comment_id']
593
594 599 comment = ChangesetComment.get_or_404(comment_id)
595 600
596 601 if comment.immutable:
@@ -600,7 +605,7 b' class RepoCommitsView(RepoAppView):'
600 605 is_repo_admin = h.HasRepoPermissionAny('repository.admin')(self.db_repo_name)
601 606 super_admin = h.HasPermissionAny('hg.admin')()
602 607 comment_owner = (comment.author.user_id == self._rhodecode_db_user.user_id)
603 is_repo_comment = comment.repo.repo_name == self.db_repo_name
608 is_repo_comment = comment.repo.repo_id == self.db_repo.repo_id
604 609 comment_repo_admin = is_repo_admin and is_repo_comment
605 610
606 611 if super_admin or comment_owner or comment_repo_admin:
General Comments 0
You need to be logged in to leave comments. Login now