##// END OF EJS Templates
auth: don't expose full set of permissions into channelstream payload....
auth: don't expose full set of permissions into channelstream payload. This leads to resource discovery security vulnerability

File last commit:

r1812:7d0f908d default
r2194:90609677 stable
Show More
notifications.py
157 lines | 5.8 KiB | text/x-python | PythonLexer
# -*- coding: utf-8 -*-
# Copyright (C) 2010-2017 RhodeCode GmbH
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License, version 3
# (only), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# This program is dual-licensed. If you wish to learn more about the
# RhodeCode Enterprise Edition, including its added features, Support services,
# and proprietary license terms, please see https://rhodecode.com/licenses/
"""
notifications controller for RhodeCode
"""
import logging
import traceback
from pylons import request
from pylons import tmpl_context as c, url
from pylons.controllers.util import redirect, abort
import webhelpers.paginate
from webob.exc import HTTPBadRequest
from rhodecode.lib import auth
from rhodecode.lib.auth import LoginRequired, NotAnonymous
from rhodecode.lib.base import BaseController, render
from rhodecode.lib import helpers as h
from rhodecode.lib.helpers import Page
from rhodecode.lib.utils2 import safe_int
from rhodecode.model.db import Notification
from rhodecode.model.notification import NotificationModel
from rhodecode.model.meta import Session
log = logging.getLogger(__name__)
class NotificationsController(BaseController):
"""REST Controller styled on the Atom Publishing Protocol"""
@LoginRequired()
@NotAnonymous()
def __before__(self):
super(NotificationsController, self).__before__()
def index(self):
"""GET /_admin/notifications: All items in the collection"""
# url('notifications')
c.user = c.rhodecode_user
notif = NotificationModel().get_for_user(
c.rhodecode_user.user_id, filter_=request.GET.getall('type'))
p = safe_int(request.GET.get('page', 1), 1)
notifications_url = webhelpers.paginate.PageURL(
url('notifications'), request.GET)
c.notifications = Page(notif, page=p, items_per_page=10,
url=notifications_url)
c.pull_request_type = Notification.TYPE_PULL_REQUEST
c.comment_type = [Notification.TYPE_CHANGESET_COMMENT,
Notification.TYPE_PULL_REQUEST_COMMENT]
_current_filter = request.GET.getall('type')
c.current_filter = 'all'
if _current_filter == [c.pull_request_type]:
c.current_filter = 'pull_request'
elif _current_filter == c.comment_type:
c.current_filter = 'comment'
if request.is_xhr:
return render('admin/notifications/notifications_data.mako')
return render('admin/notifications/notifications.mako')
@auth.CSRFRequired()
def mark_all_read(self):
if request.is_xhr:
nm = NotificationModel()
# mark all read
nm.mark_all_read_for_user(c.rhodecode_user.user_id,
filter_=request.GET.getall('type'))
Session().commit()
c.user = c.rhodecode_user
notif = nm.get_for_user(c.rhodecode_user.user_id,
filter_=request.GET.getall('type'))
notifications_url = webhelpers.paginate.PageURL(
url('notifications'), request.GET)
c.notifications = Page(notif, page=1, items_per_page=10,
url=notifications_url)
return render('admin/notifications/notifications_data.mako')
def _has_permissions(self, notification):
def is_owner():
user_id = c.rhodecode_user.user_id
for user_notification in notification.notifications_to_users:
if user_notification.user.user_id == user_id:
return True
return False
return h.HasPermissionAny('hg.admin')() or is_owner()
@auth.CSRFRequired()
def update(self, notification_id):
no = Notification.get_or_404(notification_id)
try:
if self._has_permissions(no):
# deletes only notification2user
NotificationModel().mark_read(c.rhodecode_user.user_id, no)
Session().commit()
return 'ok'
except Exception:
Session().rollback()
log.exception("Exception updating a notification item")
raise HTTPBadRequest()
@auth.CSRFRequired()
def delete(self, notification_id):
no = Notification.get_or_404(notification_id)
try:
if self._has_permissions(no):
# deletes only notification2user
NotificationModel().delete(c.rhodecode_user.user_id, no)
Session().commit()
return 'ok'
except Exception:
Session().rollback()
log.exception("Exception deleting a notification item")
raise HTTPBadRequest()
def show(self, notification_id):
c.user = c.rhodecode_user
no = Notification.get_or_404(notification_id)
if no and self._has_permissions(no):
unotification = NotificationModel()\
.get_user_notification(c.user.user_id, no)
# if this association to user is not valid, we don't want to show
# this message
if unotification:
if not unotification.read:
unotification.mark_as_read()
Session().commit()
c.notification = no
return render('admin/notifications/show_notification.mako')
return abort(403)