allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From brond...@apache.org
Subject [2/2] git commit: [#7317] ticket:573 Check permissions in include macro
Date Tue, 15 Apr 2014 14:55:47 GMT
[#7317] ticket:573 Check permissions in include macro


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/c455ec57
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/c455ec57
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/c455ec57

Branch: refs/heads/master
Commit: c455ec57904a061154b9c7a960fbe8de54f5ff33
Parents: fcb2f34
Author: Igor Bondarenko <jetmind2@gmail.com>
Authored: Mon Apr 14 13:37:13 2014 +0300
Committer: Dave Brondsema <dbrondsema@slashdotmedia.com>
Committed: Tue Apr 15 14:55:12 2014 +0000

----------------------------------------------------------------------
 Allura/allura/lib/macro.py                      |  6 +++-
 Allura/allura/tests/test_globals.py             | 34 +++++++++++++++++++-
 .../tests/functional/test_controllers.py        | 11 +++++++
 3 files changed, 49 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/c455ec57/Allura/allura/lib/macro.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/macro.py b/Allura/allura/lib/macro.py
index 87a09af..fd0ef58 100644
--- a/Allura/allura/lib/macro.py
+++ b/Allura/allura/lib/macro.py
@@ -348,8 +348,10 @@ def include_file(repo, path=None, rev=None, **kw):
     app = parse_repo(repo)
     if not app:
         return '[[include repo %s (not found)]]' % repo
-    rev = app.repo.head if rev is None else rev
+    if not h.has_access(app.repo, 'read')():
+        return "[[include: you don't have a read permission for repo %s]]" % repo
 
+    rev = app.repo.head if rev is None else rev
     try:
         file = app.repo.commit(rev).get_path(path)
     except Exception:
@@ -383,6 +385,8 @@ def include(ref=None, repo=None, **kw):
     artifact = link.ref.artifact
     if artifact is None:
         return '[[include (artifact not found)]]' % ref
+    if not h.has_access(artifact, 'read')():
+        return "[[include: you don't have a read permission for %s]]" % ref
     included = request.environ.setdefault('allura.macro.included', set())
     if artifact in included:
         return '[[include %s (already included)]' % ref

http://git-wip-us.apache.org/repos/asf/allura/blob/c455ec57/Allura/allura/tests/test_globals.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/test_globals.py b/Allura/allura/tests/test_globals.py
index 72daa75..3fd7a2a 100644
--- a/Allura/allura/tests/test_globals.py
+++ b/Allura/allura/tests/test_globals.py
@@ -26,7 +26,7 @@ import hashlib
 from mock import patch
 
 from bson import ObjectId
-from nose.tools import with_setup, assert_equal, assert_in
+from nose.tools import with_setup, assert_equal, assert_in, assert_not_in
 from pylons import tmpl_context as c, app_globals as g
 import tg
 
@@ -282,6 +282,38 @@ def test_macro_include_extra_br():
 '''.strip().replace('\n', '')
     assert html.strip().replace('\n', '') == expected_html, html
 
+@td.with_wiki
+@td.with_tool('test', 'Wiki', 'wiki2')
+def test_macro_include_permissions():
+    p_nbhd = M.Neighborhood.query.get(name='Projects')
+    p_test = M.Project.query.get(shortname='test', neighborhood_id=p_nbhd._id)
+    wiki = p_test.app_instance('wiki')
+    wiki2 = p_test.app_instance('wiki2')
+    with h.push_context(p_test._id, app_config_id=wiki.config._id):
+        p = WM.Page.upsert(title='CanRead')
+        p.text = 'Can see this!'
+        p.commit()
+        ThreadLocalORMSession.flush_all()
+
+    with h.push_context(p_test._id, app_config_id=wiki2.config._id):
+        role = M.ProjectRole.by_name('*anonymous')._id
+        read_perm = M.ACE.allow(role, 'read')
+        acl = c.app.config.acl
+        if read_perm in acl:
+            acl.remove(read_perm)
+        p = WM.Page.upsert(title='CanNotRead')
+        p.text = 'Can not see this!'
+        p.commit()
+        ThreadLocalORMSession.flush_all()
+
+    with h.push_context(p_test._id, app_config_id=wiki.config._id):
+        c.user = M.User.anonymous()
+        md = '[[include ref=CanRead]]\n[[include ref=wiki2:CanNotRead]]'
+        html = g.markdown_wiki.convert(md)
+        assert_in('Can see this!', html)
+        assert_not_in('Can not see this!', html)
+        assert_in("[[include: you don't have a read permission for wiki2:CanNotRead]]", html)
+
 
 @patch('oembed.OEmbedEndpoint.fetch')
 def test_macro_embed(oembed_fetch):

http://git-wip-us.apache.org/repos/asf/allura/blob/c455ec57/ForgeGit/forgegit/tests/functional/test_controllers.py
----------------------------------------------------------------------
diff --git a/ForgeGit/forgegit/tests/functional/test_controllers.py b/ForgeGit/forgegit/tests/functional/test_controllers.py
index 47455a9..3af6f1b 100644
--- a/ForgeGit/forgegit/tests/functional/test_controllers.py
+++ b/ForgeGit/forgegit/tests/functional/test_controllers.py
@@ -775,6 +775,17 @@ class TestIncludeMacro(_TestCase):
         assert_equal(macro.include_file('a:b'), expected % 'a:b')
         assert_equal(macro.include_file('repo'), expected % 'repo')
 
+    def test_include_file_permissions(self):
+        h.set_context('test', 'src-git', neighborhood='Projects')
+        role = M.ProjectRole.by_name('*anonymous')._id
+        read_perm = M.ACE.allow(role, 'read')
+        acl = c.app.config.acl
+        if read_perm in acl:
+            acl.remove(read_perm)
+        c.user = M.User.anonymous()
+        expected = "[[include: you don't have a read permission for repo src-git]]"
+        assert_equal(macro.include_file('src-git'), expected)
+
     def test_include_file_cant_find_file(self):
         expected = "[[include can't find file %s in revision %s]]"
         assert_equal(macro.include_file('src-git', 'a.txt'),


Mime
View raw message