allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From brond...@apache.org
Subject allura git commit: [#8175] nonexistant wiki pages without permission now 404; also API security check matches main for deleted now
Date Wed, 17 Jan 2018 22:31:59 GMT
Repository: allura
Updated Branches:
  refs/heads/db/8175 [created] 19f04aca4


[#8175] nonexistant wiki pages without permission now 404; also API security check matches
main for deleted now


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/19f04aca
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/19f04aca
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/19f04aca

Branch: refs/heads/db/8175
Commit: 19f04aca420d840f4c4feacae618c1bb485b16fd
Parents: 82b2ab7
Author: Dave Brondsema <dave@brondsema.net>
Authored: Wed Jan 17 17:31:50 2018 -0500
Committer: Dave Brondsema <dave@brondsema.net>
Committed: Wed Jan 17 17:31:50 2018 -0500

----------------------------------------------------------------------
 .../forgewiki/tests/functional/test_root.py     | 27 ++++++++++++--------
 ForgeWiki/forgewiki/wiki_main.py                |  7 +++--
 2 files changed, 21 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/19f04aca/ForgeWiki/forgewiki/tests/functional/test_root.py
----------------------------------------------------------------------
diff --git a/ForgeWiki/forgewiki/tests/functional/test_root.py b/ForgeWiki/forgewiki/tests/functional/test_root.py
index 5bcb4d5..b157e30 100644
--- a/ForgeWiki/forgewiki/tests/functional/test_root.py
+++ b/ForgeWiki/forgewiki/tests/functional/test_root.py
@@ -57,9 +57,9 @@ class TestRootController(TestController):
         assert u'tést' in r
         assert 'Create Page' in r
         # No 'Create Page' button if user doesn't have 'create' perm
-        r = self.app.get(page_url,
-                         extra_environ=dict(username='*anonymous')).follow()
-        assert 'Create Page' not in r
+        r = self.app.get('/wiki/Home',
+                         extra_environ=dict(username='*anonymous'))
+        assert 'Create Page' not in r, r
 
     @td.with_wiki
     def test_create_wiki_page(self):
@@ -150,14 +150,19 @@ class TestRootController(TestController):
         assert div is not None, "Can't find help text"
         assert_in('To search for an exact phrase', div.text)
 
-    def test_page_index(self):
-        response = self.app.get('/wiki/tést/')
-        assert 'tést' in response.follow()
-
-    def test_page_edit(self):
-        self.app.get('/wiki/tést/index')
-        response = self.app.post('/wiki/tést/edit')
-        assert 'tést' in response
+    def test_nonexistent_page_edit(self):
+        resp = self.app.get('/wiki/tést/')
+        assert resp.location.endswith(h.urlquote(u'/wiki/tést/edit')), resp.location
+        resp = resp.follow()
+        assert 'tést' in resp
+
+    def test_nonexistent_page_noedit(self):
+        self.app.get('/wiki/tést/',
+                     extra_environ=dict(username='*anonymous'),
+                     status=404)
+        self.app.get('/wiki/tést/',
+                     extra_environ=dict(username='test-user'),
+                     status=404)
 
     @patch('forgewiki.wiki_main.g.director.create_activity')
     def test_activity(self, create_activity):

http://git-wip-us.apache.org/repos/asf/allura/blob/19f04aca/ForgeWiki/forgewiki/wiki_main.py
----------------------------------------------------------------------
diff --git a/ForgeWiki/forgewiki/wiki_main.py b/ForgeWiki/forgewiki/wiki_main.py
index db1f266..7c55221 100644
--- a/ForgeWiki/forgewiki/wiki_main.py
+++ b/ForgeWiki/forgewiki/wiki_main.py
@@ -529,9 +529,10 @@ class PageController(BaseController, FeedController):
             require_access(self.page, 'read')
             if self.page.deleted:
                 require_access(self.page, 'delete')
-        else:
-            require_access(c.app, 'create')
+        elif has_access(c.app, 'create'):
             self.rate_limit()
+        else:
+            raise exc.HTTPNotFound
 
     def rate_limit(self):
         if WM.Page.is_limit_exceeded(c.app.config, user=c.user):
@@ -849,6 +850,8 @@ class PageRestController(BaseController):
     def _check_security(self):
         if self.page:
             require_access(self.page, 'read')
+            if self.page.deleted:
+                require_access(self.page, 'delete')
 
     @h.vardec
     @expose('json:')


Mime
View raw message