allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From brond...@apache.org
Subject [allura] 01/02: [#8318] more helpful msg to site admins; refactor site admin permission checking
Date Thu, 18 Jul 2019 21:27:34 GMT
This is an automated email from the ASF dual-hosted git repository.

brondsem pushed a commit to branch db/8318
in repository https://gitbox.apache.org/repos/asf/allura.git

commit d7d66269c20651570f18053d2de7b220a80326b7
Author: Dave Brondsema <dave@brondsema.net>
AuthorDate: Thu Jul 18 15:39:28 2019 -0400

    [#8318] more helpful msg to site admins; refactor site admin permission checking
---
 Allura/allura/controllers/auth.py            |  8 ++++++--
 Allura/allura/controllers/site_admin.py      | 10 +++-------
 Allura/allura/controllers/trovecategories.py |  7 ++-----
 Allura/allura/lib/security.py                | 16 ++++++++++++++++
 4 files changed, 27 insertions(+), 14 deletions(-)

diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py
index 1fc0bd2..f21b3be 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -35,7 +35,7 @@ from beaker.session import _session_id
 import allura.tasks.repo_tasks
 from allura import model as M
 from allura.lib import validators as V
-from allura.lib.security import require_authenticated, has_access
+from allura.lib.security import require_authenticated, has_access, is_site_admin
 from allura.lib import helpers as h
 from allura.lib import plugin
 from allura.lib.decorators import require_post, reconfirm_auth
@@ -225,7 +225,11 @@ class AuthController(BaseController):
 
         if user_record and email_record and email_record.confirmed:
             user_record.send_password_reset_email(email_record.email)
-        h.auditlog_user('Password recovery link sent to: %s', email, user=user_record)
+            h.auditlog_user('Password recovery link sent to: %s', email, user=user_record)
+        elif is_site_admin(c.user):
+            # this can be accessed via a site admin page, and sometimes email records are
inconsistent
+            # only site admins may be told if accounts exist or not
+            message = 'Could NOT find email address for user'
         flash(message)
         redirect('/')
 
diff --git a/Allura/allura/controllers/site_admin.py b/Allura/allura/controllers/site_admin.py
index 76c09a0..8e38681 100644
--- a/Allura/allura/controllers/site_admin.py
+++ b/Allura/allura/controllers/site_admin.py
@@ -38,7 +38,7 @@ from allura.lib import validators as v
 from allura.lib.decorators import require_post
 from allura.lib.plugin import SiteAdminExtension, ProjectRegistrationProvider, AuthenticationProvider
 from allura.lib import search
-from allura.lib.security import require_access, Credentials
+from allura.lib.security import require_site_admin, Credentials
 from allura.lib.widgets import form_fields as ffw
 from allura.ext.admin.widgets import AuditLog
 from allura.lib.widgets import forms
@@ -70,9 +70,7 @@ class SiteAdminController(object):
         self.site_notifications = SiteNotificationController()
 
     def _check_security(self):
-        with h.push_context(config.get('site_admin_project', 'allura'),
-                            neighborhood=config.get('site_admin_project_nbhd', 'Projects')):
-            require_access(c.project, 'admin')
+        require_site_admin(c.user)
 
         c.site_admin_sidebar_menu = self.sidebar_menu()
 
@@ -516,9 +514,7 @@ class SiteNotificationController(object):
 class TaskManagerController(object):
 
     def _check_security(self):
-        with h.push_context(config.get('site_admin_project', 'allura'),
-                            neighborhood=config.get('site_admin_project_nbhd', 'Projects')):
-            require_access(c.project, 'admin')
+        require_site_admin(c.user)
 
     @expose('jinja:allura:templates/site_admin_task_list.html')
     @without_trailing_slash
diff --git a/Allura/allura/controllers/trovecategories.py b/Allura/allura/controllers/trovecategories.py
index 149b1bc..6edb9d4 100644
--- a/Allura/allura/controllers/trovecategories.py
+++ b/Allura/allura/controllers/trovecategories.py
@@ -19,7 +19,6 @@ from collections import OrderedDict
 
 from tg import expose, flash, redirect, validate, config
 from tg import tmpl_context as c
-from string import digits, lowercase
 from tg.decorators import without_trailing_slash
 from webob.exc import HTTPForbidden, HTTPNotFound
 from tg import app_globals as g
@@ -28,7 +27,7 @@ from allura import model as M
 from allura.controllers import BaseController
 from allura.lib import helpers as h
 from allura.lib.decorators import require_post
-from allura.lib.security import require_authenticated, require_access
+from allura.lib.security import require_authenticated, require_site_admin
 from allura.lib.widgets import forms
 from allura.lib.plugin import SiteAdminExtension
 from allura.app import SitemapEntry
@@ -52,9 +51,7 @@ class TroveCategoryController(BaseController):
 
         enable_editing = config.get('trovecategories.enableediting', 'false')
         if enable_editing == 'admin':
-            with h.push_context(config.get('site_admin_project', 'allura'),
-                                neighborhood=config.get('site_admin_project_nbhd', 'Projects')):
-                require_access(c.project, 'admin')
+            require_site_admin(c.user)
         elif enable_editing != 'true':
             raise HTTPForbidden()
 
diff --git a/Allura/allura/lib/security.py b/Allura/allura/lib/security.py
index 8f5eb4f..3497305 100644
--- a/Allura/allura/lib/security.py
+++ b/Allura/allura/lib/security.py
@@ -497,6 +497,22 @@ def require_authenticated():
         raise exc.HTTPUnauthorized()
 
 
+def is_site_admin(user):
+    from allura.lib import helpers as h
+
+    with h.push_context(tg.config.get('site_admin_project', 'allura'),
+                        neighborhood=tg.config.get('site_admin_project_nbhd', 'Projects')):
+        return has_access(c.project, 'admin', user=user)
+
+
+def require_site_admin(user):
+    from allura.lib import helpers as h
+
+    with h.push_context(tg.config.get('site_admin_project', 'allura'),
+                        neighborhood=tg.config.get('site_admin_project_nbhd', 'Projects')):
+        return require_access(c.project, 'admin', user=user)
+
+
 def simple_grant(acl, role_id, permission):
     from allura.model.types import ACE
     for ace in acl:


Mime
View raw message