diff mbox

[Branch,~linaro-validation/lava-dashboard/trunk] Rev 303: Merge fix for bug LP:#955669

Message ID 20120315031514.32261.68944.launchpad@ackee.canonical.com
State Accepted
Headers show

Commit Message

Zygmunt Krynicki March 15, 2012, 3:15 a.m. UTC 
Merge authors:
  Zygmunt Krynicki (zkrynicki)
Related merge proposals:
  https://code.launchpad.net/~zkrynicki/lava-dashboard/fix-955669/+merge/97563
  proposed by: Zygmunt Krynicki (zkrynicki)
  review: Approve - Michael Hudson-Doyle (mwhudson)
------------------------------------------------------------
revno: 303 [merge]
committer: Zygmunt Krynicki <zygmunt.krynicki@linaro.org>
branch nick: trunk
timestamp: Thu 2012-03-15 04:12:20 +0100
message:
  Merge fix for bug LP:#955669
modified:
  dashboard_app/models.py
  dashboard_app/tests/models/bundle_stream.py
  dashboard_app/xmlrpc.py
  doc/changes.rst
  doc/index.rst


--
lp:lava-dashboard
https://code.launchpad.net/~linaro-validation/lava-dashboard/trunk

You are subscribed to branch lp:lava-dashboard.
To unsubscribe from this branch go to https://code.launchpad.net/~linaro-validation/lava-dashboard/trunk/+edit-subscription
diff mbox

Patch

=== modified file 'dashboard_app/models.py'
--- dashboard_app/models.py	2012-01-30 09:53:38 +0000
+++ dashboard_app/models.py	2012-03-15 03:08:00 +0000
@@ -315,6 +315,12 @@ 
             raise ValueError("Junk after pathname: %r" % pathname)
         return user, group, slug, is_public, is_anonymous
 
+    def can_upload(self, user):
+        """
+        Return True if the user can upload bundles here
+        """
+        return self.is_anonymous or self.is_owned_by(user)
+
 
 class GzipFileSystemStorage(FileSystemStorage):
 

=== modified file 'dashboard_app/tests/models/bundle_stream.py'
--- dashboard_app/tests/models/bundle_stream.py	2011-05-23 17:02:43 +0000
+++ dashboard_app/tests/models/bundle_stream.py	2012-03-15 03:08:00 +0000
@@ -22,9 +22,10 @@ 
 
 from django.contrib.auth.models import User, Group
 from django.db import IntegrityError
-from django_testscenarios.ubertest import TestCaseWithScenarios
+from django_testscenarios.ubertest import TestCase, TestCaseWithScenarios
 
 from dashboard_app.models import BundleStream
+from dashboard_app.tests import fixtures
 
 
 class BundleStreamTests(TestCaseWithScenarios):
@@ -130,3 +131,21 @@ 
     def test_unicode(self):
         obj = BundleStream(pathname=self.pathname)
         self.assertEqual(unicode(obj), self.pathname)
+
+
+class BundleStreamPermissionTests(TestCase):
+
+    def test_can_upload_to_anonymous(self):
+        user = User.objects.create(username='user')
+        bundle_stream = fixtures.create_bundle_stream("/anonymous/")
+        self.assertTrue(bundle_stream.can_upload(user))
+
+    def test_can_upload_to_owned_stream(self):
+        bundle_stream = fixtures.create_bundle_stream("/public/personal/owner/")
+        user = User.objects.get(username='owner')
+        self.assertTrue(bundle_stream.can_upload(user))
+
+    def test_can_upload_to_other_stream(self):
+        bundle_stream = fixtures.create_bundle_stream("/public/personal/owner/")
+        user = User.objects.create(username='non-owner')
+        self.assertFalse(bundle_stream.can_upload(user))

=== modified file 'dashboard_app/xmlrpc.py'
--- dashboard_app/xmlrpc.py	2011-09-26 21:12:40 +0000
+++ dashboard_app/xmlrpc.py	2012-03-15 03:09:06 +0000
@@ -100,6 +100,9 @@ 
             logging.debug("Bundle stream does not exists, aborting")
             raise xmlrpclib.Fault(errors.NOT_FOUND,
                     "Bundle stream not found")
+        if not bundle_stream.can_upload(self.user):
+            raise xmlrpclib.Fault(
+                errors.FORBIDDEN, "You cannot upload to this stream")
         try:
             logging.debug("Creating bundle object")
             bundle = Bundle.objects.create_with_content(bundle_stream, self.user, content_filename, content)

=== modified file 'doc/changes.rst'
--- doc/changes.rst	2012-02-16 01:16:48 +0000
+++ doc/changes.rst	2012-03-15 03:09:06 +0000
@@ -1,6 +1,16 @@ 
 Version History
 ***************
 
+.. _version_0_13:
+
+Version 0.13 (Unreleased)
+=========================
+
+* Add :meth:`dashboard_app.BundleStream.can_upload()` that checks if user can
+  upload bundles to a specific stream.
+* Fix bug that allowed unauthorised users to upload data to any bundle stream
+  they could see https://bugs.launchpad.net/lava-dashboard/+bug/955669
+
 .. _version_0_12:
 
 Version 0.12

=== modified file 'doc/index.rst'
--- doc/index.rst	2012-01-28 17:53:53 +0000
+++ doc/index.rst	2012-03-15 03:02:46 +0000
@@ -5,7 +5,7 @@ 
 .. automodule:: dashboard_app 
 
 .. seealso:: To get started quickly see :ref:`usage`
-.. seealso:: See what's new in :ref:`version_0_6`
+.. seealso:: See what's new in :ref:`version_0_13`
 
 Features
 ========