incubator-allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From john...@apache.org
Subject [3/3] git commit: [#5647] ticket:279 Don't elevate creator's rights on private tickets
Date Wed, 27 Feb 2013 18:52:46 GMT
Updated Branches:
  refs/heads/cj/5647 [created] 36b8c925f


[#5647] ticket:279 Don't elevate creator's rights on private tickets


Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/80488627
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/80488627
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/80488627

Branch: refs/heads/cj/5647
Commit: 8048862787542e7a947b118cf684aaa4ae4bdd4c
Parents: c847237
Author: Igor Bondarenko <jetmind2@gmail.com>
Authored: Thu Feb 21 16:03:09 2013 +0000
Committer: Cory Johns <johnsca@geek.net>
Committed: Wed Feb 27 18:52:17 2013 +0000

----------------------------------------------------------------------
 ForgeTracker/forgetracker/model/ticket.py          |    4 ++-
 .../forgetracker/tests/functional/test_root.py     |   28 +++++++++++++++
 2 files changed, 31 insertions(+), 1 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/80488627/ForgeTracker/forgetracker/model/ticket.py
----------------------------------------------------------------------
diff --git a/ForgeTracker/forgetracker/model/ticket.py b/ForgeTracker/forgetracker/model/ticket.py
index d98f72a..b01782a 100644
--- a/ForgeTracker/forgetracker/model/ticket.py
+++ b/ForgeTracker/forgetracker/model/ticket.py
@@ -413,7 +413,9 @@ class Ticket(VersionedArtifact, ActivityObject, VotableArtifact):
             role_creator = self.reported_by.project_role()._id
             self.acl = [
                 ACE.allow(role_developer, ALL_PERMISSIONS),
-                ACE.allow(role_creator, ALL_PERMISSIONS),
+                ACE.allow(role_creator, 'read'),
+                ACE.allow(role_creator, 'post'),
+                ACE.allow(role_creator, 'unmoderated_post'),
                 DENY_ALL]
         else:
             self.acl = []

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/80488627/ForgeTracker/forgetracker/tests/functional/test_root.py
----------------------------------------------------------------------
diff --git a/ForgeTracker/forgetracker/tests/functional/test_root.py b/ForgeTracker/forgetracker/tests/functional/test_root.py
index 1b67a61..3d038f9 100644
--- a/ForgeTracker/forgetracker/tests/functional/test_root.py
+++ b/ForgeTracker/forgetracker/tests/functional/test_root.py
@@ -1084,6 +1084,34 @@ class TestFunctionalController(TrackerTestController):
         a = r.html.find('a', {'class': 'edit_ticket'})
         assert a.text == 'Edit'
 
+    def test_ticket_creator_cant_edit_private_ticket_without_update_perm(self):
+        p = M.Project.query.get(shortname='test')
+        tracker = p.app_instance('bugs')
+        # authenticated user has 'create' permission, but not 'update'
+        role = M.ProjectRole.by_name('*authenticated')._id
+        create_permission = M.ACE.allow(role, 'create')
+        update_permission = M.ACE.allow(role, 'update')
+        acl = tracker.config.acl
+        acl.append(create_permission)
+        if update_permission in acl:
+            acl.remove(update_permission)
+        # test-user creates private ticket
+        env = {'username': 'test-user'}
+        post_data = {
+            'ticket_form.summary': 'Private ticket title',
+            'ticket_form.private': True
+        }
+        self.app.post('/bugs/save_ticket', post_data, extra_environ=env)
+        # ... and can see it
+        r = self.app.get('/bugs/1/', extra_environ=env)
+        assert 'Private ticket title' in r
+        assert '<label class="simple">Private:</label> Yes' in r, 'Ticket is
not private'
+        # ... and can't see 'Edit' link
+        assert r.html.find('a', {'class': 'edit_ticket'}) is None, "Found 'Edit' link"
+        # ... and can't actually edit it
+        self.app.post('/bugs/1/update_ticket', {'summary': 'should fail'},
+                      extra_environ=env, status=403)
+
     def test_imported_tickets_redirect(self):
         self.new_ticket(summary='Imported ticket')
         ticket = tm.Ticket.query.get(ticket_num=1)


Mime
View raw message