whimsical-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ru...@apache.org
Subject [whimsy] 02/02: allow PMC members to post their own report
Date Sat, 03 Aug 2019 15:38:46 GMT
This is an automated email from the ASF dual-hosted git repository.

rubys pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/whimsy.git

commit 35acffb952257c53282c929516f150ccea206511
Author: Sam Ruby <rubys@intertwingly.net>
AuthorDate: Sat Aug 3 11:38:03 2019 -0400

    allow PMC members to post their own report
    
    (even if they are not officers or ASF members)
---
 www/board/agenda/config.ru                  | 10 ++++++---
 www/board/agenda/models/agenda.rb           |  6 ++---
 www/board/agenda/views/actions/post.json.rb | 34 +++++++++++++++++++++++++----
 3 files changed, 40 insertions(+), 10 deletions(-)

diff --git a/www/board/agenda/config.ru b/www/board/agenda/config.ru
index 4743e2c..4d15826 100644
--- a/www/board/agenda/config.ru
+++ b/www/board/agenda/config.ru
@@ -15,10 +15,14 @@ use ASF::Auth::MembersAndOfficers do |env|
     next true
   end
 
-  # allow access to historical-comments for reporter tool.
-  # note: this list is filtered by routes.rb to only include the list of
-  # PMCs that the user is a member of for non-ASF-members and non-officers.
+  # allow access to historical-comments and post for reporter tool.
+  # notes:
+  # - historical-comments is filtered by routes.rb to only include the list of
+  #   PMCs that the user is a member of for non-ASF-members and non-officers.
+  # - post is limited to ASF members, officers, and members of the PMC whose
+  #   report is being posted.
   next true if env['PATH_INFO'] == '/json/historical-comments'
+  next true if env['PATH_INFO'] == '/json/post'
 
   # additionally authorize all invited guests
   agenda = dir('board_agenda_*.txt').sort.last
diff --git a/www/board/agenda/models/agenda.rb b/www/board/agenda/models/agenda.rb
index 20d9309..c3ee4d1 100755
--- a/www/board/agenda/models/agenda.rb
+++ b/www/board/agenda/models/agenda.rb
@@ -129,7 +129,7 @@ class Agenda
   end
 
   # update agenda file in SVN
-  def self.update(file, message, retries=20, &block)
+  def self.update(file, message, retries=20, auth: nil, &block)
     return unless block
     commit_rc = 0
 
@@ -139,9 +139,9 @@ class Agenda
     #extract context from block
     _, env = eval('[_, env]', block.binding)
 
-    auth = [[]]
+    auth ||= [[]]
     if env.password
-      auth = [['--username', env.user, '--password', env.password]]
+      auth ||= [['--username', env.user, '--password', env.password]]
     end
 
     file.untaint if file =~ /\Aboard_\w+_[\d_]+\.txt\z/
diff --git a/www/board/agenda/views/actions/post.json.rb b/www/board/agenda/views/actions/post.json.rb
index f6cd18a..467e4e1 100644
--- a/www/board/agenda/views/actions/post.json.rb
+++ b/www/board/agenda/views/actions/post.json.rb
@@ -1,6 +1,11 @@
 #
 # edit exiting / post new report
 #
+# Note: this code validates that env.user is one of the following:
+#  1) an ASF member
+#  2) a PMC chair
+#  3) a member of the PMC for the report being posted
+#
 
 # special case for new special orders
 if @attach == '7?'
@@ -9,21 +14,35 @@ elsif @attach == '8?'
   @message = "Post Discussion Item 8X: #{@title}"
 end
 
-Agenda.update(@agenda, @message) do |agenda|
+attach = nil
+
+# Determine if user is authorized
+user = ASF::Person.find(env.user)
+member_or_officer = user.asf_member? or ASF.pmc_chairs.include? user
+credentials = member_or_officer ? nil : ['--username', 'whimsysvn']
 
+Agenda.update(@agenda, @message, auth: credentials) do |agenda|
   # quick parse of agenda
   parsed = ASF::Board::Agenda.parse(agenda, true)
 
   # map @project to @attach to support posting from reporter.apache.org
   if not @attach and @project
-    project = ASF::Committee.find(@project).display_name
+    project = ASF::Committee.find(@project)
+    raise "project #{@project.inspect} not found" unless project
+    unless member_or_officer or project.owners.include? user
+      raise "not authorized to post to #{@project}"
+    end
+
+    projectName = project.display_name
     parsed.each do |report|
-      if report['title'] == project
+      if report['title'] == projectName
         raise "report already posted" unless @digest or report['missing']
-        @attach = report[:attach]
+        attach = @attach = report[:attach]
         @digest ||= report['digest']
       end
     end
+  else
+    raise "not authorized to post to the board agenda" unless member_or_officer
   end
 
   # remove trailing whitespace
@@ -147,3 +166,10 @@ Agenda.update(@agenda, @message) do |agenda|
   # return updated agenda
   agenda
 end
+
+# filter agenda if project is specified or the user is not authorized to see
+# the entire document
+if @project or not member_or_officer
+  agenda = _.delete 'agenda'
+ _item agenda.find {|report| report[:attach] == attach}
+end


Mime
View raw message