From patchwork Thu Mar 15 03:15:14 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zygmunt Krynicki X-Patchwork-Id: 7302 Return-Path: X-Original-To: patchwork@peony.canonical.com Delivered-To: patchwork@peony.canonical.com Received: from fiordland.canonical.com (fiordland.canonical.com [91.189.94.145]) by peony.canonical.com (Postfix) with ESMTP id 8181123E01 for ; Thu, 15 Mar 2012 03:15:18 +0000 (UTC) Received: from mail-iy0-f180.google.com (mail-iy0-f180.google.com [209.85.210.180]) by fiordland.canonical.com (Postfix) with ESMTP id 2A06CA1806B for ; Thu, 15 Mar 2012 03:15:18 +0000 (UTC) Received: by iage36 with SMTP id e36so4428036iag.11 for ; Wed, 14 Mar 2012 20:15:17 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-forwarded-to:x-forwarded-for:delivered-to:received-spf :content-type:mime-version:x-launchpad-project:x-launchpad-branch :x-launchpad-message-rationale:x-launchpad-branch-revision-number :x-launchpad-notification-type:to:from:subject:message-id:date :reply-to:sender:errors-to:precedence:x-generated-by :x-launchpad-hash:x-gm-message-state; bh=YGuVZz1iDbiXdn28pkrkr5lHRF8izLQbUabBREx7VFc=; b=ERTCVzx38p+4YPRA62KpwSp+lsUpgsMPFNHK0JbufglW1Fqp/bsyNxWgclqaclAtlV N6+QIc8pZzoKufNgxLV/7a8LXjDf20O5QzXmv46EwL286cdEk7g/vZt8BYWsQNZ88+J+ glFFTorNciMoS68DQCad12fgUYl9FaP/nA0b5oKv0AwHQm8QrW1ps5ZtOCRw3Uw4dr8c HZ2UJu9xaeBXuGTTASjSxjTc9gW6ie90pNO/LEYB5YqfGeNab3jEtN4UscHR4BO6C/Yq fXd/i+ForIUvwcQASg9cnloI6YVZd+JbC9rDio2kyzFCFQdtDKb6N9qq07krXbiomKTv 7Iqg== Received: by 10.50.183.137 with SMTP id em9mr14639674igc.58.1331781317627; Wed, 14 Mar 2012 20:15:17 -0700 (PDT) X-Forwarded-To: linaro-patchwork@canonical.com X-Forwarded-For: patch@linaro.org linaro-patchwork@canonical.com Delivered-To: patches@linaro.org Received: by 10.231.53.18 with SMTP id k18csp25575ibg; Wed, 14 Mar 2012 20:15:17 -0700 (PDT) Received: by 10.216.138.202 with SMTP id a52mr2959314wej.53.1331781316197; Wed, 14 Mar 2012 20:15:16 -0700 (PDT) Received: from indium.canonical.com (indium.canonical.com. [91.189.90.7]) by mx.google.com with ESMTPS id x48si551680weq.147.2012.03.14.20.15.15 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 14 Mar 2012 20:15:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of bounces@canonical.com designates 91.189.90.7 as permitted sender) client-ip=91.189.90.7; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of bounces@canonical.com designates 91.189.90.7 as permitted sender) smtp.mail=bounces@canonical.com Received: from ackee.canonical.com ([91.189.89.26]) by indium.canonical.com with esmtp (Exim 4.71 #1 (Debian)) id 1S819n-0003VM-03 for ; Thu, 15 Mar 2012 03:15:15 +0000 Received: from ackee.canonical.com (localhost [127.0.0.1]) by ackee.canonical.com (Postfix) with ESMTP id E2708E0122 for ; Thu, 15 Mar 2012 03:15:14 +0000 (UTC) MIME-Version: 1.0 X-Launchpad-Project: lava-dashboard X-Launchpad-Branch: ~linaro-validation/lava-dashboard/trunk X-Launchpad-Message-Rationale: Subscriber X-Launchpad-Branch-Revision-Number: 303 X-Launchpad-Notification-Type: branch-revision To: Linaro Patch Tracker From: noreply@launchpad.net Subject: [Branch ~linaro-validation/lava-dashboard/trunk] Rev 303: Merge fix for bug LP:#955669 Message-Id: <20120315031514.32261.68944.launchpad@ackee.canonical.com> Date: Thu, 15 Mar 2012 03:15:14 -0000 Reply-To: noreply@launchpad.net Sender: bounces@canonical.com Errors-To: bounces@canonical.com Precedence: bulk X-Generated-By: Launchpad (canonical.com); Revision="14933"; Instance="launchpad-lazr.conf" X-Launchpad-Hash: 054efd6c7af8c8410ab05fa34d62a87fe97eccd2 X-Gm-Message-State: ALoCoQlwstY4aGhdgFBRb55M7rc0CCTKWAM1kKqIyyqDp39AQbTcF/Bd+3cLmqjb4otjCoTJILB1 Merge authors: Zygmunt Krynicki (zkrynicki) Related merge proposals: https://code.launchpad.net/~zkrynicki/lava-dashboard/fix-955669/+merge/97563 proposed by: Zygmunt Krynicki (zkrynicki) review: Approve - Michael Hudson-Doyle (mwhudson) ------------------------------------------------------------ revno: 303 [merge] committer: Zygmunt Krynicki branch nick: trunk timestamp: Thu 2012-03-15 04:12:20 +0100 message: Merge fix for bug LP:#955669 modified: dashboard_app/models.py dashboard_app/tests/models/bundle_stream.py dashboard_app/xmlrpc.py doc/changes.rst doc/index.rst --- lp:lava-dashboard https://code.launchpad.net/~linaro-validation/lava-dashboard/trunk You are subscribed to branch lp:lava-dashboard. To unsubscribe from this branch go to https://code.launchpad.net/~linaro-validation/lava-dashboard/trunk/+edit-subscription === modified file 'dashboard_app/models.py' --- dashboard_app/models.py 2012-01-30 09:53:38 +0000 +++ dashboard_app/models.py 2012-03-15 03:08:00 +0000 @@ -315,6 +315,12 @@ raise ValueError("Junk after pathname: %r" % pathname) return user, group, slug, is_public, is_anonymous + def can_upload(self, user): + """ + Return True if the user can upload bundles here + """ + return self.is_anonymous or self.is_owned_by(user) + class GzipFileSystemStorage(FileSystemStorage): === modified file 'dashboard_app/tests/models/bundle_stream.py' --- dashboard_app/tests/models/bundle_stream.py 2011-05-23 17:02:43 +0000 +++ dashboard_app/tests/models/bundle_stream.py 2012-03-15 03:08:00 +0000 @@ -22,9 +22,10 @@ from django.contrib.auth.models import User, Group from django.db import IntegrityError -from django_testscenarios.ubertest import TestCaseWithScenarios +from django_testscenarios.ubertest import TestCase, TestCaseWithScenarios from dashboard_app.models import BundleStream +from dashboard_app.tests import fixtures class BundleStreamTests(TestCaseWithScenarios): @@ -130,3 +131,21 @@ def test_unicode(self): obj = BundleStream(pathname=self.pathname) self.assertEqual(unicode(obj), self.pathname) + + +class BundleStreamPermissionTests(TestCase): + + def test_can_upload_to_anonymous(self): + user = User.objects.create(username='user') + bundle_stream = fixtures.create_bundle_stream("/anonymous/") + self.assertTrue(bundle_stream.can_upload(user)) + + def test_can_upload_to_owned_stream(self): + bundle_stream = fixtures.create_bundle_stream("/public/personal/owner/") + user = User.objects.get(username='owner') + self.assertTrue(bundle_stream.can_upload(user)) + + def test_can_upload_to_other_stream(self): + bundle_stream = fixtures.create_bundle_stream("/public/personal/owner/") + user = User.objects.create(username='non-owner') + self.assertFalse(bundle_stream.can_upload(user)) === modified file 'dashboard_app/xmlrpc.py' --- dashboard_app/xmlrpc.py 2011-09-26 21:12:40 +0000 +++ dashboard_app/xmlrpc.py 2012-03-15 03:09:06 +0000 @@ -100,6 +100,9 @@ logging.debug("Bundle stream does not exists, aborting") raise xmlrpclib.Fault(errors.NOT_FOUND, "Bundle stream not found") + if not bundle_stream.can_upload(self.user): + raise xmlrpclib.Fault( + errors.FORBIDDEN, "You cannot upload to this stream") try: logging.debug("Creating bundle object") bundle = Bundle.objects.create_with_content(bundle_stream, self.user, content_filename, content) === modified file 'doc/changes.rst' --- doc/changes.rst 2012-02-16 01:16:48 +0000 +++ doc/changes.rst 2012-03-15 03:09:06 +0000 @@ -1,6 +1,16 @@ Version History *************** +.. _version_0_13: + +Version 0.13 (Unreleased) +========================= + +* Add :meth:`dashboard_app.BundleStream.can_upload()` that checks if user can + upload bundles to a specific stream. +* Fix bug that allowed unauthorised users to upload data to any bundle stream + they could see https://bugs.launchpad.net/lava-dashboard/+bug/955669 + .. _version_0_12: Version 0.12 === modified file 'doc/index.rst' --- doc/index.rst 2012-01-28 17:53:53 +0000 +++ doc/index.rst 2012-03-15 03:02:46 +0000 @@ -5,7 +5,7 @@ .. automodule:: dashboard_app .. seealso:: To get started quickly see :ref:`usage` -.. seealso:: See what's new in :ref:`version_0_6` +.. seealso:: See what's new in :ref:`version_0_13` Features ========