##// END OF EJS Templates
access control: fix owner checks - they were always true...
Mads Kiilerich -
r3141:a45191e7 beta
parent child Browse files
Show More
@@ -110,8 +110,8 b' class NotificationsController(BaseContro'
110 # url('notification', notification_id=ID)
110 # url('notification', notification_id=ID)
111 try:
111 try:
112 no = Notification.get(notification_id)
112 no = Notification.get(notification_id)
113 owner = lambda: (no.notifications_to_users.user.user_id
113 owner = all(un.user.user_id == c.rhodecode_user.user_id
114 == c.rhodecode_user.user_id)
114 for un in no.notifications_to_users)
115 if h.HasPermissionAny('hg.admin')() or owner:
115 if h.HasPermissionAny('hg.admin')() or owner:
116 NotificationModel().mark_read(c.rhodecode_user.user_id, no)
116 NotificationModel().mark_read(c.rhodecode_user.user_id, no)
117 Session().commit()
117 Session().commit()
@@ -132,8 +132,8 b' class NotificationsController(BaseContro'
132
132
133 try:
133 try:
134 no = Notification.get(notification_id)
134 no = Notification.get(notification_id)
135 owner = lambda: (no.notifications_to_users.user.user_id
135 owner = all(un.user.user_id == c.rhodecode_user.user_id
136 == c.rhodecode_user.user_id)
136 for un in no.notifications_to_users)
137 if h.HasPermissionAny('hg.admin')() or owner:
137 if h.HasPermissionAny('hg.admin')() or owner:
138 NotificationModel().delete(c.rhodecode_user.user_id, no)
138 NotificationModel().delete(c.rhodecode_user.user_id, no)
139 Session().commit()
139 Session().commit()
@@ -149,8 +149,8 b' class NotificationsController(BaseContro'
149 c.user = self.rhodecode_user
149 c.user = self.rhodecode_user
150 no = Notification.get(notification_id)
150 no = Notification.get(notification_id)
151
151
152 owner = lambda: (no.notifications_to_users.user.user_id
152 owner = all(un.user.user_id == c.rhodecode_user.user_id
153 == c.user.user_id)
153 for un in no.notifications_to_users)
154 if no and (h.HasPermissionAny('hg.admin', 'repository.admin')() or owner):
154 if no and (h.HasPermissionAny('hg.admin', 'repository.admin')() or owner):
155 unotification = NotificationModel()\
155 unotification = NotificationModel()\
156 .get_user_notification(c.user.user_id, no)
156 .get_user_notification(c.user.user_id, no)
@@ -371,7 +371,7 b' class ChangesetController(BaseRepoContro'
371 @jsonify
371 @jsonify
372 def delete_comment(self, repo_name, comment_id):
372 def delete_comment(self, repo_name, comment_id):
373 co = ChangesetComment.get(comment_id)
373 co = ChangesetComment.get(comment_id)
374 owner = lambda: co.author.user_id == c.rhodecode_user.user_id
374 owner = co.author.user_id == c.rhodecode_user.user_id
375 if h.HasPermissionAny('hg.admin', 'repository.admin')() or owner:
375 if h.HasPermissionAny('hg.admin', 'repository.admin')() or owner:
376 ChangesetCommentsModel().delete(comment=co)
376 ChangesetCommentsModel().delete(comment=co)
377 Session().commit()
377 Session().commit()
@@ -477,7 +477,7 b' class PullrequestsController(BaseRepoCon'
477 #don't allow deleting comments on closed pull request
477 #don't allow deleting comments on closed pull request
478 raise HTTPForbidden()
478 raise HTTPForbidden()
479
479
480 owner = lambda: co.author.user_id == c.rhodecode_user.user_id
480 owner = co.author.user_id == c.rhodecode_user.user_id
481 if h.HasPermissionAny('hg.admin', 'repository.admin')() or owner:
481 if h.HasPermissionAny('hg.admin', 'repository.admin')() or owner:
482 ChangesetCommentsModel().delete(comment=co)
482 ChangesetCommentsModel().delete(comment=co)
483 Session().commit()
483 Session().commit()
@@ -82,6 +82,7 b' class TestNotificationsController(TestCo'
82 response = self.app.delete(url('notification',
82 response = self.app.delete(url('notification',
83 notification_id=
83 notification_id=
84 notification.notification_id))
84 notification.notification_id))
85 self.assertEqual(response.body, 'ok')
85
86
86 cur_user = User.get(cur_usr_id)
87 cur_user = User.get(cur_usr_id)
87 self.assertEqual(cur_user.notifications, [])
88 self.assertEqual(cur_user.notifications, [])
General Comments 0
You need to be logged in to leave comments. Login now