Mercurial > p > roundup > code
comparison test/test_mailgw.py @ 4289:7275e3dec0e0
Fix security-problem: If user hasn't permission on a message...
...(notably files and content properties) and is on the nosy list, the
content was sent via email. We now check that user has permission on
the message content and files properties. Also add a regression test
for this.
| author | Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net> |
|---|---|
| date | Mon, 30 Nov 2009 14:45:44 +0000 |
| parents | 57dfcc824acc |
| children | d47245c2530a |
comparison
equal
deleted
inserted
replaced
| 4288:ce684080e968 | 4289:7275e3dec0e0 |
|---|---|
| 1891 ''') | 1891 ''') |
| 1892 | 1892 |
| 1893 assert nodeid1 == nodeid2 | 1893 assert nodeid1 == nodeid2 |
| 1894 self.assertEqual(self.db.issue.get(nodeid2, 'title'), "Testing...") | 1894 self.assertEqual(self.db.issue.get(nodeid2, 'title'), "Testing...") |
| 1895 | 1895 |
| 1896 def testSecurityMessagePermissionContent(self): | |
| 1897 id = self.doNewIssue() | |
| 1898 issue = self.db.issue.getnode (id) | |
| 1899 self.db.security.addRole(name='Nomsg') | |
| 1900 self.db.security.addPermissionToRole('Nomsg', 'Email Access') | |
| 1901 for cl in 'issue', 'file', 'keyword': | |
| 1902 for p in 'View', 'Edit', 'Create': | |
| 1903 self.db.security.addPermissionToRole('Nomsg', p, cl) | |
| 1904 self.db.user.set(self.mary_id, roles='Nomsg') | |
| 1905 nodeid = self._handle_mail('''Content-Type: text/plain; | |
| 1906 charset="iso-8859-1" | |
| 1907 From: Chef <chef@bork.bork.bork> | |
| 1908 To: issue_tracker@your.tracker.email.domain.example | |
| 1909 Message-Id: <dummy_test_message_id> | |
| 1910 Subject: [issue%(id)s] Testing... [nosy=+mary] | |
| 1911 | |
| 1912 Just a test reply | |
| 1913 '''%locals()) | |
| 1914 assert os.path.exists(SENDMAILDEBUG) | |
| 1915 self.compareMessages(self._get_mail(), | |
| 1916 '''FROM: roundup-admin@your.tracker.email.domain.example | |
| 1917 TO: chef@bork.bork.bork, richard@test.test | |
| 1918 Content-Type: text/plain; charset="utf-8" | |
| 1919 Subject: [issue1] Testing... | |
| 1920 To: richard@test.test | |
| 1921 From: "Bork, Chef" <issue_tracker@your.tracker.email.domain.example> | |
| 1922 Reply-To: Roundup issue tracker <issue_tracker@your.tracker.email.domain.example> | |
| 1923 MIME-Version: 1.0 | |
| 1924 Message-Id: <dummy_test_message_id> | |
| 1925 X-Roundup-Name: Roundup issue tracker | |
| 1926 X-Roundup-Loop: hello | |
| 1927 X-Roundup-Issue-Status: chatting | |
| 1928 Content-Transfer-Encoding: quoted-printable | |
| 1929 | |
| 1930 | |
| 1931 Bork, Chef <chef@bork.bork.bork> added the comment: | |
| 1932 | |
| 1933 Just a test reply | |
| 1934 | |
| 1935 ---------- | |
| 1936 nosy: +mary | |
| 1937 status: unread -> chatting | |
| 1938 | |
| 1939 _______________________________________________________________________ | |
| 1940 Roundup issue tracker <issue_tracker@your.tracker.email.domain.example> | |
| 1941 <http://tracker.example/cgi-bin/roundup.cgi/bugs/issue1> | |
| 1942 _______________________________________________________________________ | |
| 1943 ''') | |
| 1944 | |
| 1896 | 1945 |
| 1897 def test_suite(): | 1946 def test_suite(): |
| 1898 suite = unittest.TestSuite() | 1947 suite = unittest.TestSuite() |
| 1899 suite.addTest(unittest.makeSuite(MailgwTestCase)) | 1948 suite.addTest(unittest.makeSuite(MailgwTestCase)) |
| 1900 return suite | 1949 return suite |