##// END OF EJS Templates
u » ewong » rhodecode-enterprise-ce-fork
RSS

Fork of rhodecode-enterprise-ce

auth: don't expose full set of permissions into channelstream payload....
ergo -
r2157:aefa7aac default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -71,6 +71,7 b' class ChannelstreamView(object):'
71 except Exception:
71 except Exception:
72 log.exception('Failed to decode json from request')
72 log.exception('Failed to decode json from request')
73 raise HTTPBadRequest()
73 raise HTTPBadRequest()
74
74 try:
75 try:
75 channels = check_channel_permissions(
76 channels = check_channel_permissions(
76 json_body.get('channels'),
77 json_body.get('channels'),
@@ -92,7 +93,7 b' class ChannelstreamView(object):'
92 'display_name': None,
93 'display_name': None,
93 'display_link': None,
94 'display_link': None,
94 }
95 }
95 user_data['permissions'] = self._rhodecode_user.permissions
96 user_data['permissions'] = self._rhodecode_user.permissions_safe
96 payload = {
97 payload = {
97 'username': user.username,
98 'username': user.username,
98 'user_state': user_data,
99 'user_state': user_data,
Show file before | Show file after | Hide comments
@@ -944,6 +944,24 b' class AuthUser(object):'
944 return self.get_perms(user=self, cache=False)
944 return self.get_perms(user=self, cache=False)
945
945
946 @LazyProperty
946 @LazyProperty
947 def permissions_safe(self):
948 """
949 Filtered permissions excluding not allowed repositories
950 """
951 perms = self.get_perms(user=self, cache=False)
952
953 perms['repositories'] = {
954 k: v for k, v in perms['repositories'].iteritems()
955 if v != 'repository.none'}
956 perms['repositories_groups'] = {
957 k: v for k, v in perms['repositories_groups'].iteritems()
958 if v != 'group.none'}
959 perms['user_groups'] = {
960 k: v for k, v in perms['user_groups'].iteritems()
961 if v != 'usergroup.none'}
962 return perms
963
964 @LazyProperty
947 def permissions_full_details(self):
965 def permissions_full_details(self):
948 return self.get_perms(
966 return self.get_perms(
949 user=self, cache=False, calculate_super_admin=True)
967 user=self, cache=False, calculate_super_admin=True)
General Comments 0
You need to be logged in to leave comments. Login now