kallithea Changeset - 216ed3859869

Changeset - 216ed3859869

Parent rev.

Child rev.

[Not reviewed]

default

0 4 0

Mads Kiilerich (mads) - 5 years ago 2020-10-29 14:48:03
mads@kiilerich.com

Grafted from: f2023707a875

lib: use auth functions directly - not through h

4 files changed with 15 insertions and 13 deletions:

kallithea/controllers/admin/gists.py

kallithea/controllers/changeset.py

kallithea/controllers/pullrequests.py

kallithea/model/pull_request.py

0 comments (0 inline, 0 general)

kallithea/controllers/admin/gists.py

➞

Show inline comments

@@ @@ -26,24 +26,25 @@ Original author and date, and relevant c @@
 """
 import logging
 import traceback
 import formencode.htmlfill
 from sqlalchemy.sql.expression import or_
 from tg import request, response
 from tg import tmpl_context as c
 from tg.i18n import ugettext as _
 from webob.exc import HTTPForbidden, HTTPFound, HTTPNotFound
 from kallithea.lib import auth
 from kallithea.lib import helpers as h
 from kallithea.lib.auth import LoginRequired
 from kallithea.lib.base import BaseController, jsonify, render
 from kallithea.lib.page import Page
 from kallithea.lib.utils2 import safe_int, safe_str, time_to_datetime
 from kallithea.lib.vcs.exceptions import NodeNotChangedError, VCSError
 from kallithea.lib.webutils import url
 from kallithea.model import db, meta
 from kallithea.model.forms import GistForm
 from kallithea.model.gist import GistModel
@@ @@ -147,25 +148,25 @@ class GistsController(BaseController): @@
             raise HTTPFound(location=url('new_gist'))
         raise HTTPFound(location=url('gist', gist_id=new_gist_id))
     @LoginRequired()
     def new(self, format='html'):
         self.__load_defaults()
         return render('admin/gists/new.html')
     @LoginRequired()
     def delete(self, gist_id):
         gist = GistModel().get_gist(gist_id)
         owner = gist.owner_id == request.authuser.user_id
-        if h.HasPermissionAny('hg.admin')() or owner:
+        if auth.HasPermissionAny('hg.admin')() or owner:
             GistModel().delete(gist)
             meta.Session().commit()
             h.flash(_('Deleted gist %s') % gist.gist_access_id, category='success')
         else:
             raise HTTPForbidden()
         raise HTTPFound(location=url('gists'))
     @LoginRequired(allow_default_user=True)
     def show(self, gist_id, revision='tip', format='html', f_path=None):
         c.gist = db.Gist.get_or_404(gist_id)

kallithea/controllers/changeset.py

➞

Show inline comments

@@ @@ -27,25 +27,25 @@ Original author and date, and relevant c @@
 import binascii
 import logging
 import traceback
 from collections import OrderedDict
 from tg import request, response
 from tg import tmpl_context as c
 from tg.i18n import ugettext as _
 from webob.exc import HTTPBadRequest, HTTPForbidden, HTTPNotFound
 import kallithea.lib.helpers as h
 from kallithea.lib import diffs, webutils
+from kallithea.lib import auth, diffs, webutils
 from kallithea.lib.auth import HasRepoPermissionLevelDecorator, LoginRequired
 from kallithea.lib.base import BaseRepoController, jsonify, render
 from kallithea.lib.graphmod import graph_data
 from kallithea.lib.utils import action_logger
 from kallithea.lib.utils2 import ascii_str, safe_str
 from kallithea.lib.vcs.backends.base import EmptyChangeset
 from kallithea.lib.vcs.exceptions import ChangesetDoesNotExistError, EmptyRepositoryError, RepositoryError
 from kallithea.model import db, meta
 from kallithea.model.changeset_status import ChangesetStatusModel
 from kallithea.model.comment import ChangesetCommentsModel
 from kallithea.model.pull_request import PullRequestModel
@@ @@ -82,27 +82,27 @@ def create_cs_pr_comment(repo_name, revi @@
     if (status or close_pr or delete) and (f_path or line_no):
         # status votes and closing is only possible in general comments
         raise HTTPBadRequest()
     if not allowed_to_change_status:
         if status or close_pr:
             h.flash(_('No permission to change status'), 'error')
             raise HTTPForbidden()
     if pull_request and delete == "delete":
         if (pull_request.owner_id == request.authuser.user_id or
             h.HasPermissionAny('hg.admin')() or
             h.HasRepoPermissionLevel('admin')(pull_request.org_repo.repo_name) or
             h.HasRepoPermissionLevel('admin')(pull_request.other_repo.repo_name)
             auth.HasPermissionAny('hg.admin')() or
             auth.HasRepoPermissionLevel('admin')(pull_request.org_repo.repo_name) or
             auth.HasRepoPermissionLevel('admin')(pull_request.other_repo.repo_name)
         ) and not pull_request.is_closed():
             PullRequestModel().delete(pull_request)
             meta.Session().commit()
             h.flash(_('Successfully deleted pull request %s') % pull_request_id,
                     category='success')
             return {
                'location': webutils.url('my_pullrequests'), # or repo pr list?
+            }
         raise HTTPForbidden()
     text = request.POST.get('text', '').strip()
@@ @@ -154,26 +154,26 @@ def create_cs_pr_comment(repo_name, revi @@
     return data
 def delete_cs_pr_comment(repo_name, comment_id):
     """Delete a comment from a changeset or pull request"""
     co = db.ChangesetComment.get_or_404(comment_id)
     if co.repo.repo_name != repo_name:
         raise HTTPNotFound()
     if co.pull_request and co.pull_request.is_closed():
         # don't allow deleting comments on closed pull request
         raise HTTPForbidden()
     owner = co.author_id == request.authuser.user_id
     repo_admin = h.HasRepoPermissionLevel('admin')(repo_name)
     if h.HasPermissionAny('hg.admin')() or repo_admin or owner:
     repo_admin = auth.HasRepoPermissionLevel('admin')(repo_name)
     if auth.HasPermissionAny('hg.admin')() or repo_admin or owner:
         ChangesetCommentsModel().delete(comment=co)
         meta.Session().commit()
         return True
     else:
         raise HTTPForbidden()
 class ChangesetController(BaseRepoController):
     def _before(self, *args, **kwargs):
         super(ChangesetController, self)._before(*args, **kwargs)
         c.affected_files_cut_off = 60

kallithea/controllers/pullrequests.py

➞

Show inline comments

@@ @@ -27,25 +27,25 @@ Original author and date, and relevant c @@
 import logging
 import traceback
 import formencode
 import mercurial.unionrepo
 from tg import request
 from tg import tmpl_context as c
 from tg.i18n import ugettext as _
 from webob.exc import HTTPBadRequest, HTTPForbidden, HTTPFound, HTTPNotFound
 from kallithea.controllers.changeset import create_cs_pr_comment, delete_cs_pr_comment
 from kallithea.lib import diffs
+from kallithea.lib import auth, diffs
 from kallithea.lib import helpers as h
 from kallithea.lib.auth import HasRepoPermissionLevelDecorator, LoginRequired
 from kallithea.lib.base import BaseRepoController, jsonify, render
 from kallithea.lib.graphmod import graph_data
 from kallithea.lib.page import Page
 from kallithea.lib.utils2 import ascii_bytes, safe_bytes, safe_int
 from kallithea.lib.vcs.exceptions import ChangesetDoesNotExistError, EmptyRepositoryError
 from kallithea.lib.webutils import url
 from kallithea.model import db, meta
 from kallithea.model.changeset_status import ChangesetStatusModel
 from kallithea.model.comment import ChangesetCommentsModel
 from kallithea.model.forms import PullRequestForm, PullRequestPostForm
@@ @@ -373,26 +373,26 @@ class PullrequestsController(BaseRepoCon @@
         raise HTTPFound(location=pull_request.url())
     # pullrequest_post for PR editing
     @LoginRequired()
     @HasRepoPermissionLevelDecorator('read')
     def post(self, repo_name, pull_request_id):
         pull_request = db.PullRequest.get_or_404(pull_request_id)
         if pull_request.is_closed():
             raise HTTPForbidden()
         assert pull_request.other_repo.repo_name == repo_name
         # only owner or admin can update it
         owner = pull_request.owner_id == request.authuser.user_id
         repo_admin = h.HasRepoPermissionLevel('admin')(c.repo_name)
         if not (h.HasPermissionAny('hg.admin')() or repo_admin or owner):
         repo_admin = auth.HasRepoPermissionLevel('admin')(c.repo_name)
         if not (auth.HasPermissionAny('hg.admin')() or repo_admin or owner):
             raise HTTPForbidden()
         _form = PullRequestPostForm()().to_python(request.POST)
         cur_reviewers = set(pull_request.get_reviewer_users())
         new_reviewers = set(_get_reviewer(s) for s in _form['review_members'])
         old_reviewers = set(_get_reviewer(s) for s in _form['org_review_members'])
         other_added = cur_reviewers - old_reviewers
         other_removed = old_reviewers - cur_reviewers
         if other_added:

kallithea/model/pull_request.py

➞

Show inline comments

@@ @@ -23,24 +23,25 @@ Original author and date, and relevant c @@
 :author: marcink
 :copyright: (c) 2013 RhodeCode GmbH, and others.
 :license: GPLv3, see LICENSE.md for more details.
 """
 import datetime
 import logging
 import re
 from tg import request
 from tg.i18n import ugettext as _
 from kallithea.lib import auth
 from kallithea.lib import helpers as h
 from kallithea.lib.hooks import log_create_pullrequest
 from kallithea.lib.utils import extract_mentioned_users
 from kallithea.lib.utils2 import ascii_bytes
 from kallithea.model import db, meta
 from kallithea.model.notification import NotificationModel
 log = logging.getLogger(__name__)
 def _assert_valid_reviewers(seq):
@@ @@ -174,26 +175,26 @@ class CreatePullRequestAction(object): @@
     class AmbiguousAncestor(ValidationError):
         pass
     class Unauthorized(ValidationError):
         pass
     @staticmethod
     def is_user_authorized(org_repo, other_repo):
         """Performs authorization check with only the minimum amount of
         information needed for such a check, rather than a full command
         object.
         """
         if (h.HasRepoPermissionLevel('read')(org_repo.repo_name) and
             h.HasRepoPermissionLevel('read')(other_repo.repo_name)
         if (auth.HasRepoPermissionLevel('read')(org_repo.repo_name) and
             auth.HasRepoPermissionLevel('read')(other_repo.repo_name)
         ):
             return True
         return False
     def __init__(self, org_repo, other_repo, org_ref, other_ref, title, description, owner, reviewers):
         reviewers = set(reviewers)
         _assert_valid_reviewers(reviewers)
         (org_ref_type,
          org_ref_name,
          org_rev) = org_ref.split(':')
@@ @@ -296,25 +297,25 @@ class CreatePullRequestAction(object): @@
         log_create_pullrequest(pr.get_dict(), created_by)
         return pr
 class CreatePullRequestIterationAction(object):
     @staticmethod
     def is_user_authorized(old_pull_request):
         """Performs authorization check with only the minimum amount of
         information needed for such a check, rather than a full command
         object.
         """
-        if h.HasPermissionAny('hg.admin')():
+        if auth.HasPermissionAny('hg.admin')():
             return True
         # Authorized to edit the old PR?
         if request.authuser.user_id != old_pull_request.owner_id:
             return False
         # Authorized to create a new PR?
         if not CreatePullRequestAction.is_user_authorized(old_pull_request.org_repo, old_pull_request.other_repo):
             return False
         return True

0 comments (0 inline, 0 general)