Mercurial > p > roundup > code
changeset 4301:d47245c2530a
Fix some security assertions and tests.
Fix some security assertions in mailgw to only assert Edit permissions if
the user is editing an existing db node. If not then check Create.
Fix some tests that were broken by the new assertions, the Create ->
Register change and finally for the new "not registered" message.
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Mon, 07 Dec 2009 05:13:27 +0000 |
| parents | 608919e3bbbf |
| children | 01b1baf19271 |
| files | CHANGES.txt roundup/mailgw.py test/db_test_base.py test/test_mailgw.py |
| diffstat | 4 files changed, 34 insertions(+), 20 deletions(-) [+] |
line wrap: on
line diff
--- a/CHANGES.txt Mon Dec 07 05:08:34 2009 +0000 +++ b/CHANGES.txt Mon Dec 07 05:13:27 2009 +0000 @@ -1,7 +1,7 @@ This file contains the changes to the Roundup system over time. The entries are given with the most recent entry first. -2009-XX-XX 1.4.XX (rXXXX) +2009-12-XX 1.4.11 (rXXXX) Features: - Generic class editor may now restore retired items (thanks Ralf Hemmecke)
--- a/roundup/mailgw.py Mon Dec 07 05:08:34 2009 +0000 +++ b/roundup/mailgw.py Mon Dec 07 05:13:27 2009 +0000 @@ -1296,8 +1296,8 @@ # # handle the attachments # - if properties.has_key('files'): - files = [] + files = [] + if attachments and properties.has_key('files'): for (name, mime_type, data) in attachments: if not self.db.security.hasPermission('Create', author, 'file'): raise Unauthorized, _( @@ -1311,8 +1311,8 @@ pass else: files.append(fileid) - # attach the files to the issue - if not self.db.security.hasPermission('Edit', author, + # allowed to attach the files to an existing node? + if nodeid and not self.db.security.hasPermission('Edit', author, classname, 'files'): raise Unauthorized, _( 'You are not permitted to add files to %(classname)s.' @@ -1345,8 +1345,8 @@ Mail message was rejected by a detector. %(error)s """) % locals() - # attach the message to the node - if not self.db.security.hasPermission('Edit', author, + # allowed to attach the message to the existing node? + if nodeid and not self.db.security.hasPermission('Edit', author, classname, 'messages'): raise Unauthorized, _( 'You are not permitted to add messages to %(classname)s.' @@ -1372,16 +1372,21 @@ if not props.has_key(prop) : props[prop] = issue_props[prop] - # Check permissions for each property - for prop in props.keys(): - if not self.db.security.hasPermission('Edit', author, - classname, prop): - raise Unauthorized, _('You are not permitted to edit ' - 'property %(prop)s of class %(classname)s.') % locals() - if nodeid: + # Check permissions for each property + for prop in props.keys(): + if not self.db.security.hasPermission('Edit', author, + classname, prop): + raise Unauthorized, _('You are not permitted to edit ' + 'property %(prop)s of class %(classname)s.') % locals() cl.set(nodeid, **props) else: + # Check permissions for each property + for prop in props.keys(): + if not self.db.security.hasPermission('Create', author, + classname, prop): + raise Unauthorized, _('You are not permitted to set ' + 'property %(prop)s of class %(classname)s.') % locals() nodeid = cl.create(**props) except (TypeError, IndexError, ValueError, exceptions.Reject), message: raise MailUsageError, _("""
--- a/test/db_test_base.py Mon Dec 07 05:08:34 2009 +0000 +++ b/test/db_test_base.py Mon Dec 07 05:13:27 2009 +0000 @@ -113,6 +113,9 @@ priority.create(name="bug", order="1") db.commit() + # nosy tests require this + db.security.addPermissionToRole('User', 'View', 'msg') + class MyTestCase(unittest.TestCase): def tearDown(self): if hasattr(self, 'db'):
--- a/test/test_mailgw.py Mon Dec 07 05:08:34 2009 +0000 +++ b/test/test_mailgw.py Mon Dec 07 05:13:27 2009 +0000 @@ -1046,7 +1046,7 @@ # Add Web Access role to anonymous, and try again to make sure # we get a "please register at:" message this time. p = [ - db.security.getPermission('Create', 'user'), + db.security.getPermission('Register', 'user'), db.security.getPermission('Web Access', None), ] db.security.role['anonymous'].permissions=p @@ -1078,7 +1078,7 @@ ''' set up callback for db open ''' # now with the permission p = [ - db.security.getPermission('Create', 'user'), + db.security.getPermission('Register', 'user'), db.security.getPermission('Email Access', None), ] db.security.role['anonymous'].permissions=p @@ -1088,7 +1088,7 @@ m.sort() self.assertNotEqual(l, m) - def testNewUserAuthorHighBit(self): + def testNewUserAuthorEncodedName(self): l = set(self.db.user.list()) # From: name has Euro symbol in it message = '''Content-Type: text/plain; @@ -1103,10 +1103,12 @@ def hook (db, **kw): ''' set up callback for db open ''' p = [ - db.security.getPermission('Create', 'user'), + db.security.getPermission('Register', 'user'), db.security.getPermission('Email Access', None), + db.security.getPermission('Create', 'issue'), + db.security.getPermission('Create', 'msg'), ] - db.security.role['anonymous'].permissions=p + db.security.role['anonymous'].permissions = p self.instance.schema_hook = hook self._handle_mail(message) m = set(self.db.user.list()) @@ -1153,7 +1155,11 @@ -You are not a registered user. +You are not a registered user. Please register at: + +http://tracker.example/cgi-bin/roundup.cgi/bugs/user?template=register + +...before sending mail to the tracker. Unknown address: nonexisting@bork.bork.bork