Mercurial > p > roundup > code

annotate test/tx_Source_detector.py @ 5232:462b0f76fce8

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
issue2550864 - Potential information leakage via journal/history Fix this by making the hyperdb::Class::history function check for view permissions on the journaled properties. So a user that sees [hidden] for a property in the web interface doesn;t see the property changes in the history. While doing this, relocated the filter for quiet properties from the templating class to the hyperdb. Also added the skipquiet option to the history command in roundup-admin.py to enable filtering of quiet params. Also changed calls to history() in the backend databases to report all items. Changed inline documentation for all history calls that document the actions. The create action (before nov 6 2002) used to record all parameters. After that point the create call uses an empty dictionary. The filtering code depends on the create dictionary being empty. It may not operate properly on very old roundup databases. Changed calls to logging.getLogger to roundup.hyperdb.backends to allow filtering the back end while keeping hyperdb logging. In cgi/templating.py, changed history() function consolidating handiling of link and unlink actions Added tests for quiet property filtering and permission filtering of history.
author John Rouillard <rouilj@ieee.org>
date Fri, 14 Apr 2017 23:24:18 -0400
parents 6e9b9743de89
children 64b05e24dbd8
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
4781
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
1 #
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
2 # Example output when the web interface changes item 3 and the email
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
3 # (non pgp) interface changes item 4:
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
4 #
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
5 # tx_SourceCheckAudit(3) pre db.tx_Source: cgi
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
6 # tx_SourceCheckAudit(4) pre db.tx_Source: email
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
7 # tx_SourceCheckAudit(3) post db.tx_Source: cgi
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
8 # tx_SourceCheckAudit(4) post db.tx_Source: email
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
9 # tx_SourceCheckReact(4) pre db.tx_Source: email
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
10 # tx_SourceCheckReact(4) post db.tx_Source: email
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
11 # tx_SourceCheckReact(3) pre db.tx_Source: cgi
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
12 # tx_SourceCheckReact(3) post db.tx_Source: cgi
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
13 #
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
14 # Note that the calls are interleaved, but the proper
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
15 # tx_Source is associated with the same ticket.
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
16
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
17 import time as time
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
18
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
19 def tx_SourceCheckAudit(db, cl, nodeid, newvalues):
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
20 ''' An auditor to print the value of the source of the
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
21 transaction that trigger this change. The sleep call
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
22 is used to delay the transaction so that multiple changes will
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
23 overlap. The expected output from this detector are 2 lines
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
24 with the same value for tx_Source. Tx source is:
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
25 None - Reported when using a script or it is an error if
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
26 the change arrives by another method.
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
27 "cli" - reported when using roundup-admin
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
28 "web" - reported when using any web based technique
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
29 "email" - reported when using an unautheticated email based technique
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
30 "email-sig-openpgp" - reported when email with a valid pgp
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
31 signature is used
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
32 '''
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
33 if __debug__ and False:
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
34 print "\n tx_SourceCheckAudit(%s) db.tx_Source: %s"%(nodeid, db.tx_Source)
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
35
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
36 newvalues['tx_Source'] = db.tx_Source
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
37
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
38 # example use for real to prevent a change from happening if it's
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
39 # submited via email
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
40 #
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
41 # if db.tx_Source == "email":
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
42 # raise Reject, 'Change not allowed via email'
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
43
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
44 def tx_SourceCheckReact(db, cl, nodeid, oldvalues):
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
45 ''' An reactor to print the value of the source of the
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
46 transaction that trigger this change. The sleep call
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
47 is used to delay the transaction so that multiple changes will
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
48 overlap. The expected output from this detector are 2 lines
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
49 with the same value for tx_Source. Tx source is:
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
50 None - Reported when using a script or it is an error if
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
51 the change arrives by another method.
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
52 "cli" - reported when using roundup-admin
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
53 "web" - reported when using any web based technique
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
54 "email" - reported when using an unautheticated email based technique
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
55 "email-sig-openpgp" - reported when email with a valid pgp
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
56 signature is used
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
57 '''
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
58
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
59 if __debug__ and False:
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
60 print " tx_SourceCheckReact(%s) db.tx_Source: %s"%(nodeid, db.tx_Source)
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
61
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
62
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
63
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
64 def init(db):
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
65 db.issue.audit('create', tx_SourceCheckAudit)
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
66 db.issue.audit('set', tx_SourceCheckAudit)
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
67
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
68 db.issue.react('set', tx_SourceCheckReact)
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
69 db.issue.react('create', tx_SourceCheckReact)
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
70
6e9b9743de89 Implementation for:
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
71 db.msg.audit('create', tx_SourceCheckAudit)
Roundup Issue Tracker: http://roundup-tracker.org/