From 354dc10f97d408a19a5a9b78e0ba4ffe0357a85f Mon Sep 17 00:00:00 2001 From: farhaanbukhsh Date: Apr 14 2017 10:32:36 +0000 Subject: Fix UI issuses and authorization issues --- diff --git a/pagure/lib/__init__.py b/pagure/lib/__init__.py index 07e3d14..ec4f932 100644 --- a/pagure/lib/__init__.py +++ b/pagure/lib/__init__.py @@ -1994,6 +1994,7 @@ def search_projects( model.TagProject.tag.in_(tags) ) + if pattern: pattern = pattern.replace('*', '%') if '%' in pattern: @@ -2015,7 +2016,6 @@ def search_projects( ).filter( model.Project.id.in_(projects.subquery()) ) - if private is False: query = query.filter( model.Project.private == False @@ -2029,6 +2029,11 @@ def search_projects( model.Project.private == True, model.Project.user_id == user2.id, user2.user == private, + ), + sqlalchemy.and_( + model.Project.private == True, + model.Project.id == model.ProjectUser.project_id, + model.ProjectUser.user_id == user2.id, ) ) ) diff --git a/pagure/ui/app.py b/pagure/ui/app.py index 8dad4f6..38eb61e 100644 --- a/pagure/ui/app.py +++ b/pagure/ui/app.py @@ -20,7 +20,7 @@ import pagure.lib.git import pagure.forms import pagure.ui.filters from pagure import (APP, SESSION, login_required, - authenticated, + authenticated, is_repo_admin, admin_session_timedout) @@ -42,10 +42,7 @@ def index(): limit = APP.config['ITEM_PER_PAGE'] start = limit * (page - 1) - if authenticated(): - private = flask.g.fas_user.username - else: - private = False + private = False repos = pagure.lib.search_projects( SESSION, @@ -99,31 +96,30 @@ def index_auth(): except ValueError: forkpage = 1 - private = flask.g.fas_user.username repos = pagure.lib.search_projects( SESSION, username=flask.g.fas_user.username, exclude_groups=APP.config.get('EXCLUDE_GROUP_INDEX'), - fork=False, private=private) + fork=False, private=flask.g.fas_user.username) + repos_length = pagure.lib.search_projects( SESSION, username=flask.g.fas_user.username, exclude_groups=APP.config.get('EXCLUDE_GROUP_INDEX'), fork=False, - count=True, - private=private) + count=True) forks = pagure.lib.search_projects( SESSION, username=flask.g.fas_user.username, fork=True, - private=private) + private=flask.g.fas_user.username) + forks_length = pagure.lib.search_projects( SESSION, username=flask.g.fas_user.username, fork=True, - count=True, - private=private) + count=True) watch_list = pagure.lib.user_watch_list( SESSION, @@ -185,10 +181,9 @@ def view_users(username=None): users = pagure.lib.search_user(SESSION, pattern=username) + private = False if authenticated(): private = flask.g.fas_user.username - else: - private = False if len(users) == 1: flask.flash('Only one result found, redirecting you to it') @@ -254,11 +249,10 @@ def view_projects(pattern=None, namespace=None): select = 'projects_forks' else: forks = False + private = False if authenticated(): private = flask.g.fas_user.username - else: - private = False limit = APP.config['ITEM_PER_PAGE'] start = limit * (page - 1) @@ -322,10 +316,9 @@ def view_user(username): repo_start = limit * (repopage - 1) fork_start = limit * (forkpage - 1) + private = False if authenticated(): private = flask.g.fas_user.username - else: - private = False repos = pagure.lib.search_projects( SESSION, diff --git a/pagure/ui/repo.py b/pagure/ui/repo.py index dac407b..945c3e4 100644 --- a/pagure/ui/repo.py +++ b/pagure/ui/repo.py @@ -84,17 +84,8 @@ def view_repo(repo, username=None, namespace=None): if repo is None: flask.abort(404, 'Project not found') - users = [] - users.append(repo.user.username) - for user in repo.users: - users.append(user.username) - - auth_user = None - if authenticated(): - auth_user = flask.g.fas_user.username - - if repo.private and auth_user not in users: - flask.abort(403, 'Forbidden') + if repo.private and not is_repo_admin(repo): + flask.abort(401, 'Forbidden') reponame = pagure.get_repo_path(repo) @@ -902,9 +893,12 @@ def view_forks(repo, username=None, namespace=None): """ repo = flask.g.repo - if not repo: + if repo is None: flask.abort(404, 'Project not found') + if repo.private and not is_repo_admin(repo): + flask.abort(401, 'Forbidden') + return flask.render_template( 'forks.html', select='forks', @@ -1150,7 +1144,6 @@ def update_project(repo, username=None, namespace=None): flask.url_for('auth_login', next=url)) repo = flask.g.repo - if not flask.g.repo_admin: flask.abort( 403, @@ -1203,6 +1196,9 @@ def update_priorities(repo, username=None, namespace=None): repo = flask.g.repo + if repo.private and not is_repo_admin(repo): + flask.abort(401, 'Forbidden') + if not repo.settings.get('issue_tracker', True): flask.abort(404, 'No issue tracker found for this project') @@ -2238,6 +2234,9 @@ def view_docs(repo, username=None, filename=None, namespace=None): """ repo = flask.g.repo + if repo.private and not is_repo_admin(repo): + flask.abort(401, 'Forbidden') + if not APP.config.get('DOC_APP_URL'): flask.abort(404, 'This pagure instance has no doc server') @@ -2264,6 +2263,9 @@ def view_project_activity(repo, namespace=None): repo = flask.g.repo + if repo.private and not is_repo_admin(repo): + flask.abort(401, 'Forbidden') + return flask.render_template( 'activity.html', repo=repo,