diff --git a/.hgtags b/.hgtags --- a/.hgtags +++ b/.hgtags @@ -24,3 +24,4 @@ d9aa3b27ac9f7e78359775c75fedf7bfece232f1 4ba4d74981cec5d6b28b158f875a2540952c2f74 v4.10.0 0a6821cbd6b0b3c21503002f88800679fa35ab63 v4.10.1 434ad90ec8d621f4416074b84f6e9ce03964defb v4.10.2 +68baee10e698da2724c6e0f698c03a6abb993bf2 v4.10.3 diff --git a/docs/release-notes/release-notes-4.10.3.rst b/docs/release-notes/release-notes-4.10.3.rst new file mode 100644 --- /dev/null +++ b/docs/release-notes/release-notes-4.10.3.rst @@ -0,0 +1,45 @@ +|RCE| 4.10.3 |RNS| +------------------ + +Release Date +^^^^^^^^^^^^ + +- 2017-11-11 + + +New Features +^^^^^^^^^^^^ + + + +General +^^^^^^^ + +- ldap: increase timeouts and timelimits for operations + + +Security +^^^^^^^^ + +- security(low): fix self xss on repo downloads picker for svn case. + + +Performance +^^^^^^^^^^^ + + + +Fixes +^^^^^ + + +- Pull requests: loosen permissions on creation of PR, fixing regression. +- LDAP: fix regression in ldap search filter implementation after upgrade to + newer version of python-ldap library. + + +Upgrade notes +^^^^^^^^^^^^^ + +- Changes helpers to support regression in PR creation and increase + LDAP server timeouts, no potential problems with upgrade. diff --git a/docs/release-notes/release-notes.rst b/docs/release-notes/release-notes.rst --- a/docs/release-notes/release-notes.rst +++ b/docs/release-notes/release-notes.rst @@ -9,6 +9,7 @@ Release Notes .. toctree:: :maxdepth: 1 + release-notes-4.10.3.rst release-notes-4.10.2.rst release-notes-4.10.1.rst release-notes-4.10.0.rst diff --git a/rhodecode/apps/repository/views/repo_pull_requests.py b/rhodecode/apps/repository/views/repo_pull_requests.py --- a/rhodecode/apps/repository/views/repo_pull_requests.py +++ b/rhodecode/apps/repository/views/repo_pull_requests.py @@ -790,9 +790,10 @@ class RepoPullRequestsView(RepoAppView, h.route_path('pullrequest_new', repo_name=self.db_repo_name, _query=org_query)) - # target repo we must have write permissions, and also later on + # target repo we must have read permissions, and also later on # we want to check branch permissions here target_perm = HasRepoPermissionAny( + 'repository.read', 'repository.write', 'repository.admin')(target_db_repo.repo_name) if not target_perm: msg = _('Not Enough permissions to target repo `{}`.'.format( diff --git a/rhodecode/authentication/base.py b/rhodecode/authentication/base.py --- a/rhodecode/authentication/base.py +++ b/rhodecode/authentication/base.py @@ -218,7 +218,10 @@ class RhodeCodeAuthPluginBase(object): else: plugin_settings = SettingsModel().get_all_settings() - return plugin_settings.get(full_name) or default + if full_name in plugin_settings: + return plugin_settings[full_name] + else: + return default def create_or_update_setting(self, name, value): """ diff --git a/rhodecode/authentication/plugins/auth_ldap.py b/rhodecode/authentication/plugins/auth_ldap.py --- a/rhodecode/authentication/plugins/auth_ldap.py +++ b/rhodecode/authentication/plugins/auth_ldap.py @@ -195,7 +195,7 @@ class AuthLdap(object): def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='', tls_kind='PLAIN', tls_reqcert='DEMAND', ldap_version=3, search_scope='SUBTREE', attr_login='uid', - ldap_filter=None): + ldap_filter=''): if ldap == Missing: raise LdapImportError("Missing or incompatible ldap library") @@ -234,9 +234,9 @@ class AuthLdap(object): '/etc/openldap/cacerts') ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF) ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON) - ldap.set_option(ldap.OPT_TIMEOUT, 20) - ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10) - ldap.set_option(ldap.OPT_TIMELIMIT, 15) + ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 60 * 10) + ldap.set_option(ldap.OPT_TIMEOUT, 60 * 10) + if self.TLS_KIND != 'PLAIN': ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT) server = ldap.initialize(self.LDAP_SERVER)