Modify ↓
Opened 7 years ago
Closed 7 years ago
#13342 closed defect (fixed)
Permission restriction not working, anyone can post review
| Reported by: | ntmlod | Owned by: | Jun Omae |
|---|---|---|---|
| Priority: | normal | Component: | CodeReviewerPlugin |
| Severity: | normal | Keywords: | |
| Cc: | Trac Release: | 1.0 |
Description
I have tried to fix it by myself, I add IPermissionRequestor methods so the permissions seems to be complied with from that.
I modify the test that controls the modification of ./changeset page but it's not working.
-
coderev/web_ui.py
41 41 class CodeReviewerModule(Component): 42 42 """Base component for reviewing changesets.""" 43 43 44 implements(ITemplateProvider, IRequestFilter )44 implements(ITemplateProvider, IRequestFilter, IPermissionRequestor) 45 45 46 46 # config options 47 47 statuses = ListOption('codereviewer', 'status_choices', … … 68 68 def get_templates_dirs(self): 69 69 return [] 70 70 71 # IPermissionRequestor methods 72 73 def get_permission_actions(self): 74 return ['CODEREVIEWER_MODIFY'] 75 71 76 # IRequestFilter methods 72 77 73 78 def pre_process_request(self, req, handler): … … 76 81 def post_process_request(self, req, template, data, content_type): 77 82 diff_mode = data and 'changeset' in data and \ 78 83 data['changeset'] is False 79 if req.path_info.startswith('/changeset') and not diff_mode :84 if req.path_info.startswith('/changeset') and not diff_mode and 'CODEREVIEWER_MODIFY' in req.perm: 80 85 changeset = data['changeset'] 81 86 repos = changeset.repos 82 87 reponame, rev = repos.reponame, repos.db_rev(changeset.rev)
Attachments (0)
Change History (4)
comment:1 Changed 7 years ago by
comment:2 follow-up: 3 Changed 7 years ago by
I don't think it is needed to implement IPermissionRequestor in CodeReviewerModule because CODEREVIEWER_MODIFY is declared in CodeReviewerSystem.get_permission_actions().
-
codereviewerplugin/1.0/coderev/web_ui.py
diff --git a/codereviewerplugin/1.0/coderev/web_ui.py b/codereviewerplugin/1.0/coderev/web_ui.py index abc9e8f72..dccd818b9 100644
a b class CodeReviewerModule(Component): 76 76 def post_process_request(self, req, template, data, content_type): 77 77 diff_mode = data and 'changeset' in data and \ 78 78 data['changeset'] is False 79 if req.path_info.startswith('/changeset') and not diff_mode: 79 if req.path_info.startswith('/changeset') and not diff_mode and \ 80 'CODEREVIEWER_MODIFY' in req.perm: 80 81 changeset = data['changeset'] 81 82 repos = changeset.repos 82 83 reponame, rev = repos.reponame, repos.db_rev(changeset.rev)
comment:3 Changed 7 years ago by
Replying to Jun Omae:
I don't think it is needed to implement
IPermissionRequestorinCodeReviewerModulebecauseCODEREVIEWER_MODIFYis declared inCodeReviewerSystem.get_permission_actions().
codereviewerplugin/1.0/coderev/web_ui.py
diff --git a/codereviewerplugin/1.0/coderev/web_ui.py b/codereviewerplugin/1.0/coderev/web_ui.py index abc9e8f72..dccd818b9 100644
a b class CodeReviewerModule(Component): 76 76 def post_process_request(self, req, template, data, content_type): 77 77 diff_mode = data and 'changeset' in data and \ 78 78 data['changeset'] is False 79 if req.path_info.startswith('/changeset') and not diff_mode: 79 if req.path_info.startswith('/changeset') and not diff_mode and \ 80 'CODEREVIEWER_MODIFY' in req.perm: 80 81 changeset = data['changeset'] 81 82 repos = changeset.repos 82 83 reponame, rev = repos.reponame, repos.db_rev(changeset.rev)
You're right, my proposal was not much enhanced. The additional test is enough.
comment:4 Changed 7 years ago by
| Owner: | set to Jun Omae |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
In 17013:
Note: See
TracTickets for help on using
tickets.
Stupid mistake, I forgot the
importat the beginning.coderev/web_ui.py
):Seems to be working now