Marcin Kuzminski avatar Marcin Kuzminski committed 162bf5c

fixed missing permissions check on forks page

Comments (0)

Files changed (3)

docs/changelog.rst

 +++++
 
 - fixed dev-version marker for stable when served from source codes
+- fixed missing permission checks on show forks page
 
 1.3.4 (**2012-03-28**)
 ----------------------

rhodecode/controllers/forks.py

 
 from rhodecode.lib.helpers import Page
 from rhodecode.lib.auth import LoginRequired, HasRepoPermissionAnyDecorator, \
-    NotAnonymous
+    NotAnonymous, HasRepoPermissionAny
 from rhodecode.lib.base import BaseRepoController, render
 from rhodecode.model.db import Repository, RepoGroup, UserFollowing, User
 from rhodecode.model.repo import RepoModel
     def forks(self, repo_name):
         p = int(request.params.get('page', 1))
         repo_id = c.rhodecode_db_repo.repo_id
-        d = Repository.get_repo_forks(repo_id)
+        d = []
+        for r in Repository.get_repo_forks(repo_id):
+            if not HasRepoPermissionAny(
+                'repository.read', 'repository.write', 'repository.admin'
+            )(r.repo_name, 'get forks check'):
+                continue
+            d.append(r)
         c.forks_pager = Page(d, page=p, items_per_page=20)
 
         c.forks_data = render('/forks/forks_data.html')

rhodecode/tests/functional/test_forks.py

 from rhodecode.tests import *
 
 from rhodecode.model.db import Repository
+from rhodecode.model.repo import RepoModel
+from rhodecode.model.user import UserModel
+
 
 class TestForksController(TestController):
 
+    def setUp(self):
+        self.username = u'forkuser'
+        self.password = u'qweqwe'
+        self.u1 = UserModel().create_or_update(
+            username=self.username, password=self.password,
+            email=u'fork_king@rhodecode.org', name=u'u1', lastname=u'u1'
+        )
+        self.Session.commit()
+
+    def tearDown(self):
+        self.Session.delete(self.u1)
+        self.Session.commit()
+
     def test_index(self):
         self.log_user()
         repo_name = HG_REPO
 
         self.assertTrue("""There are no forks yet""" in response.body)
 
-
     def test_index_with_fork(self):
         self.log_user()
 
         response = self.app.get(url(controller='forks', action='forks',
                                     repo_name=repo_name))
 
-
         self.assertTrue("""<a href="/%s/summary">"""
                          """vcs_test_hg_fork</a>""" % fork_name
                          in response.body)
         #remove this fork
         response = self.app.delete(url('repo', repo_name=fork_name))
 
-
-
-
     def test_z_fork_create(self):
         self.log_user()
         fork_name = HG_FORK
         self.assertEqual(fork_repo.repo_name, fork_name)
         self.assertEqual(fork_repo.fork.repo_name, repo_name)
 
-
         #test if fork is visible in the list ?
         response = response.follow()
 
-
         # check if fork is marked as fork
         # wait for cache to expire
         import time
                                     repo_name=fork_name))
 
         self.assertTrue('Fork of %s' % repo_name in response.body)
+
+    def test_zz_fork_permission_page(self):
+        usr = self.log_user(self.username, self.password)['user_id']
+        repo_name = HG_REPO
+
+        forks = self.Session.query(Repository)\
+            .filter(Repository.fork_id != None)\
+            .all()
+        self.assertEqual(1, len(forks))
+
+        # set read permissions for this
+        RepoModel().grant_user_permission(repo=forks[0],
+                                          user=usr,
+                                          perm='repository.read')
+        self.Session.commit()
+
+        response = self.app.get(url(controller='forks', action='forks',
+                                    repo_name=repo_name))
+
+        response.mustcontain('<div style="padding:5px 3px 3px 42px;">fork of vcs test</div>')
+
+    def test_zzz_fork_permission_page(self):
+        usr = self.log_user(self.username, self.password)['user_id']
+        repo_name = HG_REPO
+
+        forks = self.Session.query(Repository)\
+            .filter(Repository.fork_id != None)\
+            .all()
+        self.assertEqual(1, len(forks))
+
+        # set none
+        RepoModel().grant_user_permission(repo=forks[0],
+                                          user=usr, perm='repository.none')
+        self.Session.commit()
+        # fork shouldn't be there
+        response = self.app.get(url(controller='forks', action='forks',
+                                    repo_name=repo_name))
+        response.mustcontain('There are no forks yet')
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.