diff --git a/docs/changelog.rst b/docs/changelog.rst --- a/docs/changelog.rst +++ b/docs/changelog.rst @@ -19,6 +19,7 @@ fixes +++++ - fixed dev-version marker for stable when served from source codes +- fixed missing permission checks on show forks page 1.3.4 (**2012-03-28**) ---------------------- diff --git a/rhodecode/controllers/forks.py b/rhodecode/controllers/forks.py --- a/rhodecode/controllers/forks.py +++ b/rhodecode/controllers/forks.py @@ -35,7 +35,7 @@ import rhodecode.lib.helpers as h from rhodecode.lib.helpers import Page from rhodecode.lib.auth import LoginRequired, HasRepoPermissionAnyDecorator, \ - NotAnonymous + NotAnonymous, HasRepoPermissionAny from rhodecode.lib.base import BaseRepoController, render from rhodecode.model.db import Repository, RepoGroup, UserFollowing, User from rhodecode.model.repo import RepoModel @@ -103,7 +103,13 @@ class ForksController(BaseRepoController def forks(self, repo_name): p = int(request.params.get('page', 1)) repo_id = c.rhodecode_db_repo.repo_id - d = Repository.get_repo_forks(repo_id) + d = [] + for r in Repository.get_repo_forks(repo_id): + if not HasRepoPermissionAny( + 'repository.read', 'repository.write', 'repository.admin' + )(r.repo_name, 'get forks check'): + continue + d.append(r) c.forks_pager = Page(d, page=p, items_per_page=20) c.forks_data = render('/forks/forks_data.html') diff --git a/rhodecode/tests/functional/test_forks.py b/rhodecode/tests/functional/test_forks.py --- a/rhodecode/tests/functional/test_forks.py +++ b/rhodecode/tests/functional/test_forks.py @@ -1,9 +1,25 @@ from rhodecode.tests import * from rhodecode.model.db import Repository +from rhodecode.model.repo import RepoModel +from rhodecode.model.user import UserModel + class TestForksController(TestController): + def setUp(self): + self.username = u'forkuser' + self.password = u'qweqwe' + self.u1 = UserModel().create_or_update( + username=self.username, password=self.password, + email=u'fork_king@rhodecode.org', name=u'u1', lastname=u'u1' + ) + self.Session.commit() + + def tearDown(self): + self.Session.delete(self.u1) + self.Session.commit() + def test_index(self): self.log_user() repo_name = HG_REPO @@ -12,7 +28,6 @@ class TestForksController(TestController self.assertTrue("""There are no forks yet""" in response.body) - def test_index_with_fork(self): self.log_user() @@ -34,7 +49,6 @@ class TestForksController(TestController response = self.app.get(url(controller='forks', action='forks', repo_name=repo_name)) - self.assertTrue("""""" """vcs_test_hg_fork""" % fork_name in response.body) @@ -42,9 +56,6 @@ class TestForksController(TestController #remove this fork response = self.app.delete(url('repo', repo_name=fork_name)) - - - def test_z_fork_create(self): self.log_user() fork_name = HG_FORK @@ -71,11 +82,9 @@ class TestForksController(TestController self.assertEqual(fork_repo.repo_name, fork_name) self.assertEqual(fork_repo.fork.repo_name, repo_name) - #test if fork is visible in the list ? response = response.follow() - # check if fork is marked as fork # wait for cache to expire import time @@ -84,3 +93,41 @@ class TestForksController(TestController repo_name=fork_name)) self.assertTrue('Fork of %s' % repo_name in response.body) + + def test_zz_fork_permission_page(self): + usr = self.log_user(self.username, self.password)['user_id'] + repo_name = HG_REPO + + forks = self.Session.query(Repository)\ + .filter(Repository.fork_id != None)\ + .all() + self.assertEqual(1, len(forks)) + + # set read permissions for this + RepoModel().grant_user_permission(repo=forks[0], + user=usr, + perm='repository.read') + self.Session.commit() + + response = self.app.get(url(controller='forks', action='forks', + repo_name=repo_name)) + + response.mustcontain('