From c1719d43cd3981c149403fe4137253f06b545aed Mon Sep 17 00:00:00 2001 From: richard Date: Mon, 7 Dec 2009 05:13:27 +0000 Subject: [PATCH] Fix some security assertions in mailgw to only assert Edit permissions if the user is editing an existing db node. If not then check Create. Fix some tests that were broken by the new assertions, the Create -> Register change and finally for the new "not registered" message. git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/roundup/trunk@4405 57a73879-2fb5-44c3-a270-3262357dd7e2 --- CHANGES.txt | 2 +- roundup/mailgw.py | 31 ++++++++++++++++++------------- test/db_test_base.py | 3 +++ test/test_mailgw.py | 18 ++++++++++++------ 4 files changed, 34 insertions(+), 20 deletions(-) diff --git a/CHANGES.txt b/CHANGES.txt index 566383a..37f6709 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,7 +1,7 @@ This file contains the changes to the Roundup system over time. The entries are given with the most recent entry first. -2009-XX-XX 1.4.XX (rXXXX) +2009-12-XX 1.4.11 (rXXXX) Features: - Generic class editor may now restore retired items (thanks Ralf Hemmecke) diff --git a/roundup/mailgw.py b/roundup/mailgw.py index c9de63a..fb7b6a2 100644 --- a/roundup/mailgw.py +++ b/roundup/mailgw.py @@ -1296,8 +1296,8 @@ not find a text/plain part to use. # # handle the attachments # - if properties.has_key('files'): - files = [] + files = [] + if attachments and properties.has_key('files'): for (name, mime_type, data) in attachments: if not self.db.security.hasPermission('Create', author, 'file'): raise Unauthorized, _( @@ -1311,8 +1311,8 @@ not find a text/plain part to use. pass else: files.append(fileid) - # attach the files to the issue - if not self.db.security.hasPermission('Edit', author, + # allowed to attach the files to an existing node? + if nodeid and not self.db.security.hasPermission('Edit', author, classname, 'files'): raise Unauthorized, _( 'You are not permitted to add files to %(classname)s.' @@ -1345,8 +1345,8 @@ not find a text/plain part to use. Mail message was rejected by a detector. %(error)s """) % locals() - # attach the message to the node - if not self.db.security.hasPermission('Edit', author, + # allowed to attach the message to the existing node? + if nodeid and not self.db.security.hasPermission('Edit', author, classname, 'messages'): raise Unauthorized, _( 'You are not permitted to add messages to %(classname)s.' @@ -1372,16 +1372,21 @@ Mail message was rejected by a detector. if not props.has_key(prop) : props[prop] = issue_props[prop] - # Check permissions for each property - for prop in props.keys(): - if not self.db.security.hasPermission('Edit', author, - classname, prop): - raise Unauthorized, _('You are not permitted to edit ' - 'property %(prop)s of class %(classname)s.') % locals() - if nodeid: + # Check permissions for each property + for prop in props.keys(): + if not self.db.security.hasPermission('Edit', author, + classname, prop): + raise Unauthorized, _('You are not permitted to edit ' + 'property %(prop)s of class %(classname)s.') % locals() cl.set(nodeid, **props) else: + # Check permissions for each property + for prop in props.keys(): + if not self.db.security.hasPermission('Create', author, + classname, prop): + raise Unauthorized, _('You are not permitted to set ' + 'property %(prop)s of class %(classname)s.') % locals() nodeid = cl.create(**props) except (TypeError, IndexError, ValueError, exceptions.Reject), message: raise MailUsageError, _(""" diff --git a/test/db_test_base.py b/test/db_test_base.py index d5cada9..356fb7e 100644 --- a/test/db_test_base.py +++ b/test/db_test_base.py @@ -113,6 +113,9 @@ def setupSchema(db, create, module): priority.create(name="bug", order="1") db.commit() + # nosy tests require this + db.security.addPermissionToRole('User', 'View', 'msg') + class MyTestCase(unittest.TestCase): def tearDown(self): if hasattr(self, 'db'): diff --git a/test/test_mailgw.py b/test/test_mailgw.py index d763fb9..251b47c 100644 --- a/test/test_mailgw.py +++ b/test/test_mailgw.py @@ -1046,7 +1046,7 @@ Unknown address: fubar@bork.bork.bork # Add Web Access role to anonymous, and try again to make sure # we get a "please register at:" message this time. p = [ - db.security.getPermission('Create', 'user'), + db.security.getPermission('Register', 'user'), db.security.getPermission('Web Access', None), ] db.security.role['anonymous'].permissions=p @@ -1078,7 +1078,7 @@ Unknown address: fubar@bork.bork.bork ''' set up callback for db open ''' # now with the permission p = [ - db.security.getPermission('Create', 'user'), + db.security.getPermission('Register', 'user'), db.security.getPermission('Email Access', None), ] db.security.role['anonymous'].permissions=p @@ -1088,7 +1088,7 @@ Unknown address: fubar@bork.bork.bork m.sort() self.assertNotEqual(l, m) - def testNewUserAuthorHighBit(self): + def testNewUserAuthorEncodedName(self): l = set(self.db.user.list()) # From: name has Euro symbol in it message = '''Content-Type: text/plain; @@ -1103,10 +1103,12 @@ This is a test submission of a new issue. def hook (db, **kw): ''' set up callback for db open ''' p = [ - db.security.getPermission('Create', 'user'), + db.security.getPermission('Register', 'user'), db.security.getPermission('Email Access', None), + db.security.getPermission('Create', 'issue'), + db.security.getPermission('Create', 'msg'), ] - db.security.role['anonymous'].permissions=p + db.security.role['anonymous'].permissions = p self.instance.schema_hook = hook self._handle_mail(message) m = set(self.db.user.list()) @@ -1153,7 +1155,11 @@ Content-Transfer-Encoding: 7bit -You are not a registered user. +You are not a registered user. Please register at: + +http://tracker.example/cgi-bin/roundup.cgi/bugs/user?template=register + +...before sending mail to the tracker. Unknown address: nonexisting@bork.bork.bork -- 2.30.2