incubator-allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From john...@apache.org
Subject git commit: [#7026] Require POST for follow/unfollow actions
Date Mon, 13 Jan 2014 22:41:02 GMT
Updated Branches:
  refs/heads/cj/7026 [created] adfd34ce5


[#7026] Require POST for follow/unfollow actions

Signed-off-by: Cory Johns <cjohns@slashdotmedia.com>


Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/adfd34ce
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/adfd34ce
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/adfd34ce

Branch: refs/heads/cj/7026
Commit: adfd34ce5a567c8bc44943518a280f0f48a8aa55
Parents: e45ab19
Author: Cory Johns <cjohns@slashdotmedia.com>
Authored: Mon Jan 13 22:40:43 2014 +0000
Committer: Cory Johns <cjohns@slashdotmedia.com>
Committed: Mon Jan 13 22:40:43 2014 +0000

----------------------------------------------------------------------
 Allura/allura/model/artifact.py                           |  2 +-
 Allura/allura/model/discuss.py                            |  4 ++++
 Allura/allura/model/timeline.py                           |  2 ++
 Allura/allura/templates/jinja_master/lib.html             |  8 +++++++-
 ForgeActivity/forgeactivity/main.py                       |  2 ++
 ForgeActivity/forgeactivity/templates/widgets/follow.html |  3 ++-
 ForgeActivity/forgeactivity/tests/functional/test_root.py |  4 ++--
 .../forgeactivity/widgets/resources/js/follow.js          | 10 ++++++----
 8 files changed, 26 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/adfd34ce/Allura/allura/model/artifact.py
----------------------------------------------------------------------
diff --git a/Allura/allura/model/artifact.py b/Allura/allura/model/artifact.py
index 8a01c42..56c7643 100644
--- a/Allura/allura/model/artifact.py
+++ b/Allura/allura/model/artifact.py
@@ -265,7 +265,7 @@ class Artifact(MappedClass):
         this Artifact belongs.
 
         """
-        return self.app_config.project
+        return getattr(self.app_config, 'project', None)
 
     @property
     def project_id(self):

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/adfd34ce/Allura/allura/model/discuss.py
----------------------------------------------------------------------
diff --git a/Allura/allura/model/discuss.py b/Allura/allura/model/discuss.py
index 4815ceb..0fae04c 100644
--- a/Allura/allura/model/discuss.py
+++ b/Allura/allura/model/discuss.py
@@ -492,8 +492,12 @@ class Post(Message, VersionedArtifact, ActivityObject):
         not have access to a 'comment' activity unless he also has access to
         the artifact on which it was posted (if there is one).
         """
+        if self.project is None:
+            return False
         artifact_access = True
         if self.thread.artifact:
+            if self.thread.artifact.project is None:
+                return False
             artifact_access = security.has_access(self.thread.artifact, perm,
                                                   user, self.thread.artifact.project)
 

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/adfd34ce/Allura/allura/model/timeline.py
----------------------------------------------------------------------
diff --git a/Allura/allura/model/timeline.py b/Allura/allura/model/timeline.py
index 3487b9c..7b350aa 100644
--- a/Allura/allura/model/timeline.py
+++ b/Allura/allura/model/timeline.py
@@ -89,6 +89,8 @@ class ActivityObject(ActivityObjectBase):
         """Return True if user has perm access to this object, otherwise
         return False.
         """
+        if self.project is None:
+            return False
         return security.has_access(self, perm, user, self.project)
 
 

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/adfd34ce/Allura/allura/templates/jinja_master/lib.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/jinja_master/lib.html b/Allura/allura/templates/jinja_master/lib.html
index 4162368..f83e23c 100644
--- a/Allura/allura/templates/jinja_master/lib.html
+++ b/Allura/allura/templates/jinja_master/lib.html
@@ -17,9 +17,15 @@
        under the License.
 -#}
 
+{% macro csrf() -%}
+  {% if request -%}
+    {{request.cookies['_session_id']}}
+  {%- endif %}
+{%- endmacro %}
+
 {% macro csrf_token() -%}
   {% if request %}
-    <input name="_session_id" type="hidden" value="{{request.cookies['_session_id']}}">
+    <input name="_session_id" type="hidden" value="{{csrf()}}">
   {% endif %}
 {%- endmacro %}
 

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/adfd34ce/ForgeActivity/forgeactivity/main.py
----------------------------------------------------------------------
diff --git a/ForgeActivity/forgeactivity/main.py b/ForgeActivity/forgeactivity/main.py
index 9188b66..a1bb21d 100644
--- a/ForgeActivity/forgeactivity/main.py
+++ b/ForgeActivity/forgeactivity/main.py
@@ -31,6 +31,7 @@ from allura.controllers import BaseController
 from allura.lib.security import require_authenticated
 from allura.model.timeline import perm_check
 from allura.lib import helpers as h
+from allura.lib.decorators import require_post
 
 from .widgets.follow import FollowToggle
 
@@ -138,6 +139,7 @@ class ForgeActivityController(BaseController):
                 author_link=h.absurl(t.actor.activity_url))
         return feed.writeString('utf-8')
 
+    @require_post()
     @expose('json:')
     @validate(W.follow_toggle)
     def follow(self, follow, **kw):

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/adfd34ce/ForgeActivity/forgeactivity/templates/widgets/follow.html
----------------------------------------------------------------------
diff --git a/ForgeActivity/forgeactivity/templates/widgets/follow.html b/ForgeActivity/forgeactivity/templates/widgets/follow.html
index 78ae48f..34387e2 100644
--- a/ForgeActivity/forgeactivity/templates/widgets/follow.html
+++ b/ForgeActivity/forgeactivity/templates/widgets/follow.html
@@ -16,7 +16,8 @@
        specific language governing permissions and limitations
        under the License.
 -#}
-<a  href="{{action}}?follow={{not following}}"
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
+<a  href="{{action}}" data-following="{{following|lower}}" data-csrf="{{lib.csrf()}}"
     class="artifact_follow{{ ' active' if following }}"
     title="{{'Stop %sing' % action_label if following else action_label|capitalize}} {{thing}}"><b
         data-icon="{{g.icons[icon].char}}" class="ico {{g.icons[icon].css}}"

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/adfd34ce/ForgeActivity/forgeactivity/tests/functional/test_root.py
----------------------------------------------------------------------
diff --git a/ForgeActivity/forgeactivity/tests/functional/test_root.py b/ForgeActivity/forgeactivity/tests/functional/test_root.py
index c308112..6ac88d9 100644
--- a/ForgeActivity/forgeactivity/tests/functional/test_root.py
+++ b/ForgeActivity/forgeactivity/tests/functional/test_root.py
@@ -123,7 +123,7 @@ class TestActivityController(TestController):
     @td.with_tool('u/test-user-1', 'activity')
     @td.with_user_project('test-user-1')
     def test_follow_user(self):
-        resp = self.app.get('/u/test-user-1/activity/follow?follow=True')
+        resp = self.app.post('/u/test-user-1/activity/follow', {'follow': 'True'})
         assert 'You are now following Test User 1' in resp, resp
 
     @td.with_tool('u/test-admin', 'activity')
@@ -156,7 +156,7 @@ class TestActivityController(TestController):
     @td.with_tool('u/test-user-1', 'activity')
     @td.with_user_project('test-user-1')
     def test_background_aggregation(self):
-        self.app.get('/u/test-admin/activity/follow?follow=True',
+        self.app.post('/u/test-admin/activity/follow', {'follow':'true'},
                      extra_environ=dict(username='test-user-1'))
         # new ticket, creates activity
         d = {'ticket_form.summary': 'New Ticket'}

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/adfd34ce/ForgeActivity/forgeactivity/widgets/resources/js/follow.js
----------------------------------------------------------------------
diff --git a/ForgeActivity/forgeactivity/widgets/resources/js/follow.js b/ForgeActivity/forgeactivity/widgets/resources/js/follow.js
index 0739963..b7d2679 100644
--- a/ForgeActivity/forgeactivity/widgets/resources/js/follow.js
+++ b/ForgeActivity/forgeactivity/widgets/resources/js/follow.js
@@ -33,16 +33,18 @@ $(document).ready(function() {
     $('.artifact_follow').click(function(e) {
         e.preventDefault();
         var $link = $(this);
-        $.get(this.href, function(result) {
+        var data = {
+            '_session_id': $link.data('csrf'),
+            'follow': ! $link.data('following')
+        };
+        $.post(this.href, data, function(result) {
             flash(result.message, result.success ? 'success' : 'error');
-            console.log(result.following);
+            $link.data('following', result.following);
             if (result.following && !$link.hasClass('active')) {
-                $link.attr('href', $link.attr('href').replace(/True$/i, 'False'));
                 $link.addClass('active');
                 title_stop_following($link);
                 title_stop_following($link.find('b'));
             } else if (!result.following && $link.hasClass('active')) {
-                $link.attr('href', $link.attr('href').replace(/False$/i, 'True'));
                 $link.removeClass('active');
                 title_start_following($link);
                 title_start_following($link.find('b'));


Mime
View raw message