From patchwork Thu Jun 14 05:42:11 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael-Doyle Hudson X-Patchwork-Id: 9275 Return-Path: X-Original-To: patchwork@peony.canonical.com Delivered-To: patchwork@peony.canonical.com Received: from fiordland.canonical.com (fiordland.canonical.com [91.189.94.145]) by peony.canonical.com (Postfix) with ESMTP id B5BDB23EE2 for ; Thu, 14 Jun 2012 05:42:16 +0000 (UTC) Received: from mail-ob0-f180.google.com (mail-ob0-f180.google.com [209.85.214.180]) by fiordland.canonical.com (Postfix) with ESMTP id 68366A184AD for ; Thu, 14 Jun 2012 05:42:16 +0000 (UTC) Received: by obbun3 with SMTP id un3so2176522obb.11 for ; Wed, 13 Jun 2012 22:42:15 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-forwarded-to:x-forwarded-for:delivered-to:received-spf :content-type:mime-version:x-launchpad-project:x-launchpad-branch :x-launchpad-message-rationale:x-launchpad-branch-revision-number :x-launchpad-notification-type:to:from:subject:message-id:date :reply-to:sender:errors-to:precedence:x-generated-by :x-launchpad-hash:x-gm-message-state; bh=IKdXzAKQhJrng0E2y9latKDFd2JVSn/vJYQ62CjHmUo=; b=lICghRWGr2pgZFGJxnCWCD+Xdyh/s1pxld9pGuseHsHwUS6cvMVZHS7aW3P3hJ0FN+ nY/nGceapmcC92y3kORnO6qEG3YHn90ZiiqGgC+dsv1Pr06I+Ne2jHWXOOo7v7/DEFJb PsEVqVZKi9TTZF5LKoM5nBqcp85iM/1SFmz5W6AdeehaMRrKAG9mvlCxFWSiJc+MLLBB f7xUgWtCs1fw9JtZtcE9HZtrrcW7l7cFv/UTjzbDVjpE7U+GpGRvByZJpI9iCftkIF7t U15ger7dX6cjENVAxM58aKQsrq1P0APJZVMaZfPx7MMkOK8V+uTn5xXzX82SJ6N8Mnps 6BQA== Received: by 10.50.193.196 with SMTP id hq4mr11954882igc.57.1339652535480; Wed, 13 Jun 2012 22:42:15 -0700 (PDT) X-Forwarded-To: linaro-patchwork@canonical.com X-Forwarded-For: patch@linaro.org linaro-patchwork@canonical.com Delivered-To: patches@linaro.org Received: by 10.231.24.148 with SMTP id v20csp61956ibb; Wed, 13 Jun 2012 22:42:12 -0700 (PDT) Received: by 10.216.208.71 with SMTP id p49mr225918weo.172.1339652531964; Wed, 13 Jun 2012 22:42:11 -0700 (PDT) Received: from indium.canonical.com (indium.canonical.com. [91.189.90.7]) by mx.google.com with ESMTPS id n3si9963094wix.5.2012.06.13.22.42.11 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 13 Jun 2012 22:42:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of bounces@canonical.com designates 91.189.90.7 as permitted sender) client-ip=91.189.90.7; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of bounces@canonical.com designates 91.189.90.7 as permitted sender) smtp.mail=bounces@canonical.com Received: from ackee.canonical.com ([91.189.89.26]) by indium.canonical.com with esmtp (Exim 4.71 #1 (Debian)) id 1Sf2ot-0007Qi-6p for ; Thu, 14 Jun 2012 05:42:11 +0000 Received: from ackee.canonical.com (localhost [127.0.0.1]) by ackee.canonical.com (Postfix) with ESMTP id 282BCE00AC for ; Thu, 14 Jun 2012 05:42:11 +0000 (UTC) MIME-Version: 1.0 X-Launchpad-Project: lava-scheduler X-Launchpad-Branch: ~linaro-validation/lava-scheduler/trunk X-Launchpad-Message-Rationale: Subscriber X-Launchpad-Branch-Revision-Number: 178 X-Launchpad-Notification-Type: branch-revision To: Linaro Patch Tracker From: noreply@launchpad.net Subject: [Branch ~linaro-validation/lava-scheduler/trunk] Rev 178: return a 403 not a 404 when viewing a job you are not permitted to see Message-Id: <20120614054211.26921.91619.launchpad@ackee.canonical.com> Date: Thu, 14 Jun 2012 05:42:11 -0000 Reply-To: noreply@launchpad.net Sender: bounces@canonical.com Errors-To: bounces@canonical.com Precedence: bulk X-Generated-By: Launchpad (canonical.com); Revision="15405"; Instance="launchpad-lazr.conf" X-Launchpad-Hash: a6952789e752d9fa47282f44c3c2ab492789a7ba X-Gm-Message-State: ALoCoQkpMpmvSJ8qVs+Cpku68JFpaXFOn+gZtC+ocMj0059aaP8lzyJRAM1RRNy+djvfbLpl3AGj Merge authors: Michael Hudson-Doyle (mwhudson) Related merge proposals: https://code.launchpad.net/~mwhudson/lava-scheduler/http-403-on-private-job-bug-1003817/+merge/107329 proposed by: Michael Hudson-Doyle (mwhudson) review: Approve - Andy Doan (doanac) ------------------------------------------------------------ revno: 178 [merge] committer: Michael Hudson-Doyle branch nick: trunk timestamp: Thu 2012-06-14 17:40:46 +1200 message: return a 403 not a 404 when viewing a job you are not permitted to see modified: lava_scheduler_app/views.py --- lp:lava-scheduler https://code.launchpad.net/~linaro-validation/lava-scheduler/trunk You are subscribed to branch lp:lava-scheduler. To unsubscribe from this branch go to https://code.launchpad.net/~linaro-validation/lava-scheduler/trunk/+edit-subscription === modified file 'lava_scheduler_app/views.py' --- lava_scheduler_app/views.py 2012-06-04 21:09:38 +0000 +++ lava_scheduler_app/views.py 2012-06-14 05:28:44 +0000 @@ -7,6 +7,7 @@ from dateutil.relativedelta import relativedelta from django.conf import settings +from django.core.exceptions import PermissionDenied from django.core.urlresolvers import reverse from django.db.models import Count from django.http import ( @@ -207,8 +208,10 @@ RequestContext(request)) def get_restricted_job(user, pk): - return get_object_or_404( - TestJob.objects.accessible_by_principal(user), pk=pk) + job = get_object_or_404(TestJob.objects, pk=pk) + if not job.is_accessible_by(user): + raise PermissionDenied() + return job class DeviceTypeTable(DataTablesTable):