##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

fix to strict permission check on notification messages
marcink -
r3428:edb9a42d beta
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -28,7 +28,7 b' import traceback'
28 28
29 29 from pylons import request
30 30 from pylons import tmpl_context as c, url
31 from pylons.controllers.util import redirect
31 from pylons.controllers.util import redirect, abort
32 32
33 33 from webhelpers.paginate import Page
34 34
@@ -117,7 +117,7 b' class NotificationsController(BaseContro'
117 117 Session().commit()
118 118 return 'ok'
119 119 except Exception:
120 Session.rollback()
120 Session().rollback()
121 121 log.error(traceback.format_exc())
122 122 return 'fail'
123 123
@@ -139,7 +139,7 b' class NotificationsController(BaseContro'
139 139 Session().commit()
140 140 return 'ok'
141 141 except Exception:
142 Session.rollback()
142 Session().rollback()
143 143 log.error(traceback.format_exc())
144 144 return 'fail'
145 145
@@ -149,8 +149,9 b' class NotificationsController(BaseContro'
149 149 c.user = self.rhodecode_user
150 150 no = Notification.get(notification_id)
151 151
152 owner = all(un.user.user_id == c.rhodecode_user.user_id
152 owner = any(un.user.user_id == c.rhodecode_user.user_id
153 153 for un in no.notifications_to_users)
154
154 155 if no and (h.HasPermissionAny('hg.admin', 'repository.admin')() or owner):
155 156 unotification = NotificationModel()\
156 157 .get_user_notification(c.user.user_id, no)
@@ -165,7 +166,7 b' class NotificationsController(BaseContro'
165 166
166 167 return render('admin/notifications/show_notification.html')
167 168
168 return redirect(url('notifications'))
169 return abort(403)
169 170
170 171 def edit(self, notification_id, format='html'):
171 172 """GET /_admin/notifications/id/edit: Form to edit an existing item"""
General Comments 0
You need to be logged in to leave comments. Login now