# HG changeset patch # User Marcin Kuzminski # Date 2013-03-02 19:35:49 # Node ID edb9a42def31c1a8e3a51b707c8ac89b998ffe1b # Parent d77d9ff149b18aa352d743d3691f8fd1f2e80634 fix to strict permission check on notification messages diff --git a/rhodecode/controllers/admin/notifications.py b/rhodecode/controllers/admin/notifications.py --- a/rhodecode/controllers/admin/notifications.py +++ b/rhodecode/controllers/admin/notifications.py @@ -28,7 +28,7 @@ import traceback from pylons import request from pylons import tmpl_context as c, url -from pylons.controllers.util import redirect +from pylons.controllers.util import redirect, abort from webhelpers.paginate import Page @@ -117,7 +117,7 @@ class NotificationsController(BaseContro Session().commit() return 'ok' except Exception: - Session.rollback() + Session().rollback() log.error(traceback.format_exc()) return 'fail' @@ -139,7 +139,7 @@ class NotificationsController(BaseContro Session().commit() return 'ok' except Exception: - Session.rollback() + Session().rollback() log.error(traceback.format_exc()) return 'fail' @@ -149,8 +149,9 @@ class NotificationsController(BaseContro c.user = self.rhodecode_user no = Notification.get(notification_id) - owner = all(un.user.user_id == c.rhodecode_user.user_id + owner = any(un.user.user_id == c.rhodecode_user.user_id for un in no.notifications_to_users) + if no and (h.HasPermissionAny('hg.admin', 'repository.admin')() or owner): unotification = NotificationModel()\ .get_user_notification(c.user.user_id, no) @@ -165,7 +166,7 @@ class NotificationsController(BaseContro return render('admin/notifications/show_notification.html') - return redirect(url('notifications')) + return abort(403) def edit(self, notification_id, format='html'): """GET /_admin/notifications/id/edit: Form to edit an existing item"""