# HG changeset patch # User Mads Kiilerich # Date 2013-01-02 12:56:44 # Node ID a45191e7c7bb7db9a55d4b8275103bc1a0ed390a # Parent 105a0374faa191792807d4b9aaa289f7224945a8 access control: fix owner checks - they were always true The lambda expressions seems to be left over from something else. They were no longer executed and thus always evaluated to true. Some of the functions also failed if they were executed. diff --git a/rhodecode/controllers/admin/notifications.py b/rhodecode/controllers/admin/notifications.py --- a/rhodecode/controllers/admin/notifications.py +++ b/rhodecode/controllers/admin/notifications.py @@ -110,8 +110,8 @@ class NotificationsController(BaseContro # url('notification', notification_id=ID) try: no = Notification.get(notification_id) - owner = lambda: (no.notifications_to_users.user.user_id - == c.rhodecode_user.user_id) + owner = all(un.user.user_id == c.rhodecode_user.user_id + for un in no.notifications_to_users) if h.HasPermissionAny('hg.admin')() or owner: NotificationModel().mark_read(c.rhodecode_user.user_id, no) Session().commit() @@ -132,8 +132,8 @@ class NotificationsController(BaseContro try: no = Notification.get(notification_id) - owner = lambda: (no.notifications_to_users.user.user_id - == c.rhodecode_user.user_id) + owner = all(un.user.user_id == c.rhodecode_user.user_id + for un in no.notifications_to_users) if h.HasPermissionAny('hg.admin')() or owner: NotificationModel().delete(c.rhodecode_user.user_id, no) Session().commit() @@ -149,8 +149,8 @@ class NotificationsController(BaseContro c.user = self.rhodecode_user no = Notification.get(notification_id) - owner = lambda: (no.notifications_to_users.user.user_id - == c.user.user_id) + owner = all(un.user.user_id == c.rhodecode_user.user_id + for un in no.notifications_to_users) if no and (h.HasPermissionAny('hg.admin', 'repository.admin')() or owner): unotification = NotificationModel()\ .get_user_notification(c.user.user_id, no) diff --git a/rhodecode/controllers/changeset.py b/rhodecode/controllers/changeset.py --- a/rhodecode/controllers/changeset.py +++ b/rhodecode/controllers/changeset.py @@ -371,7 +371,7 @@ class ChangesetController(BaseRepoContro @jsonify def delete_comment(self, repo_name, comment_id): co = ChangesetComment.get(comment_id) - owner = lambda: co.author.user_id == c.rhodecode_user.user_id + owner = co.author.user_id == c.rhodecode_user.user_id if h.HasPermissionAny('hg.admin', 'repository.admin')() or owner: ChangesetCommentsModel().delete(comment=co) Session().commit() diff --git a/rhodecode/controllers/pullrequests.py b/rhodecode/controllers/pullrequests.py --- a/rhodecode/controllers/pullrequests.py +++ b/rhodecode/controllers/pullrequests.py @@ -477,7 +477,7 @@ class PullrequestsController(BaseRepoCon #don't allow deleting comments on closed pull request raise HTTPForbidden() - owner = lambda: co.author.user_id == c.rhodecode_user.user_id + owner = co.author.user_id == c.rhodecode_user.user_id if h.HasPermissionAny('hg.admin', 'repository.admin')() or owner: ChangesetCommentsModel().delete(comment=co) Session().commit() diff --git a/rhodecode/tests/functional/test_admin_notifications.py b/rhodecode/tests/functional/test_admin_notifications.py --- a/rhodecode/tests/functional/test_admin_notifications.py +++ b/rhodecode/tests/functional/test_admin_notifications.py @@ -82,6 +82,7 @@ class TestNotificationsController(TestCo response = self.app.delete(url('notification', notification_id= notification.notification_id)) + self.assertEqual(response.body, 'ok') cur_user = User.get(cur_usr_id) self.assertEqual(cur_user.notifications, [])