From b597484fce9397d4e9d4436aed3a6f57aaf71fc3 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Jun 17 2018 14:38:44 +0000
Subject: Add support for making the issue tracker read-only


Fixes https://pagure.io/pagure/issue/3228

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>

---

diff --git a/pagure/api/__init__.py b/pagure/api/__init__.py
index 0f006fe..0540acd 100644
--- a/pagure/api/__init__.py
+++ b/pagure/api/__init__.py
@@ -103,6 +103,7 @@ class APIERROR(enum.Enum):
         'this action'
     ENOSIGNEDOFF = 'This repo enforces that all commits are signed off ' \
         'by their author.'
+    ETRACKERREADONLY = 'The issue tracker of this project is read-only'
 
 
 def get_authorized_api_project(session, repo, user=None, namespace=None):
diff --git a/pagure/api/issue.py b/pagure/api/issue.py
index bf41220..765947e 100644
--- a/pagure/api/issue.py
+++ b/pagure/api/issue.py
@@ -64,6 +64,12 @@ def _check_issue_tracker(repo):
         raise pagure.exceptions.APIError(
             404, error_code=APIERROR.ETRACKERDISABLED)
 
+    # forbid all POST requests if the issue tracker is made read-only
+    if flask.request.method == 'POST' and \
+            repo.settings.get('issue_tracker_read_only', False):
+        raise pagure.exceptions.APIError(
+            401, error_code=APIERROR.ETRACKERREADONLY)
+
 
 def _check_token(repo, project_token=True):
     """Check if token is valid for the repo
diff --git a/pagure/decorators.py b/pagure/decorators.py
index a894eef..5e65215 100644
--- a/pagure/decorators.py
+++ b/pagure/decorators.py
@@ -26,6 +26,10 @@ def has_issue_tracker(function):
         repo = flask.g.repo
         if not repo.settings.get('issue_tracker', True):
             flask.abort(404, 'No issue tracker found for this project')
+        # forbid all POST requests if the issue tracker is made read-only
+        if flask.request.method == 'POST' and \
+                repo.settings.get('issue_tracker_read_only', False):
+            flask.abort(401, 'The issue tracker for this project is read-only')
         return function(*args, **kwargs)
 
     return check_issue_tracker
diff --git a/pagure/lib/model.py b/pagure/lib/model.py
index 6d2de48..2d35c6c 100644
--- a/pagure/lib/model.py
+++ b/pagure/lib/model.py
@@ -546,6 +546,7 @@ class Project(BASE):
             'roadmap_on_issues_page': False,
             'notify_on_pull-request_flag': False,
             'notify_on_commit_flag': False,
+            'issue_tracker_read_only': False,
         }
 
         if self._settings:
diff --git a/pagure/templates/issue.html b/pagure/templates/issue.html
index 1bfd757..d0dec58 100644
--- a/pagure/templates/issue.html
+++ b/pagure/templates/issue.html
@@ -80,7 +80,7 @@ namespace=repo.namespace, repo=repo.name, issueid=issueid)
       <div class="card-header">
 
         <section class="issue_comment add_comment">
-        {% if g.authenticated and form %}
+        {% if g.authenticated and form and not repo.settings.get('issue_tracker_read_only', False) %}
 
             <label for="comment"><strong>Add new comment</strong></label>
             <small class="text-muted pull-xs-right">
@@ -111,6 +111,10 @@ namespace=repo.namespace, repo=repo.name, issueid=issueid)
             <input type="submit" class="btn btn-primary"
               value="Update Issue" title="Comment and Update Metadata" tabindex=2 />
           </div>
+        {% elif g.authenticated and form and repo.settings.get('issue_tracker_read_only', False) %}
+          <p>
+            This issue tracker is read-only.
+          </p>
         {% else %}
           <p>
             <a href="{{ url_for('auth_login', next=request.url) }}">Login</a>
@@ -203,7 +207,8 @@ namespace=repo.namespace, repo=repo.name, issueid=issueid)
                 unassigned
               {% endif %}
               {% if g.authenticated and g.repo_user and issue.status|lower == 'open'
-                and (not issue.assignee or issue.assignee.username != g.fas_user.username) %}
+                and (not issue.assignee or issue.assignee.username != g.fas_user.username)
+                and not repo.settings.get('issue_tracker_read_only', False) %}
               <button class="btn btn-sm float-right" id="take-btn"
                 title="assign this issue to you">
                   Take
@@ -324,7 +329,8 @@ namespace=repo.namespace, repo=repo.name, issueid=issueid)
           <a class="btn btn-secondary issue-metadata-form editmetadatatoggle">
             Cancel
           </a>
-          {% if g.authenticated and (g.repo_user or g.fas_user.username == issue.user.user) %}
+          {% if g.authenticated and (g.repo_user or g.fas_user.username == issue.user.user)
+              and not repo.settings.get('issue_tracker_read_only', False) %}
             <a class="btn btn-outline-secondary issue-metadata-display editmetadatatoggle">
               Edit Metadata
             </a>
@@ -439,7 +445,7 @@ namespace=repo.namespace, repo=repo.name, issueid=issueid)
           <a class="btn btn-secondary issue-custom-form edit_custom_toggle">
             cancel
           </a>
-          {% if g.authenticated and g.repo_user %}
+          {% if g.authenticated and g.repo_user and not repo.settings.get('issue_tracker_read_only', False) %}
             <a class="btn btn-secondary issue-custom-display edit_custom_toggle">
               Edit Metadata
             </a>
diff --git a/pagure/templates/repo_master.html b/pagure/templates/repo_master.html
index c9bce25..e817f5f 100644
--- a/pagure/templates/repo_master.html
+++ b/pagure/templates/repo_master.html
@@ -63,7 +63,8 @@
         <div class="btn-group">
         {% if g.authenticated %}
           {% if repo.settings.get('issue_tracker', True)
-                and config.get('ENABLE_TICKETS', True)%}
+                and config.get('ENABLE_TICKETS', True)
+                and not repo.settings.get('issue_tracker_read_only', False) %}
             <a href="{{ url_for('ui_ns.new_issue',
                 repo=repo.name,
                 username=username,
diff --git a/pagure/templates/unauthorized.html b/pagure/templates/unauthorized.html
index 171c126..43ce0cf 100644
--- a/pagure/templates/unauthorized.html
+++ b/pagure/templates/unauthorized.html
@@ -10,6 +10,11 @@
     <div class="col-md-8">
       <h2>Unauthorized (401)</h2>
       <p>You are not authorized to display the requested page.</p>
+      {% if error.description %}
+      <div class="card-block">
+      <p>{{ error.description }}</p>
+      </div>
+      {% endif %}
       <p>If you're not logged in, try to login; if you're already done,
       that probably means you do not have sufficient access.</p>
     </div>
diff --git a/tests/test_pagure_flask_api_group.py b/tests/test_pagure_flask_api_group.py
index f6a793e..b1b6bf6 100644
--- a/tests/test_pagure_flask_api_group.py
+++ b/tests/test_pagure_flask_api_group.py
@@ -321,6 +321,7 @@ class PagureFlaskApiGroupTests(tests.SimplePagureTest):
                         "always_merge": False,
                         "fedmsg_notifications": True,
                         "issue_tracker": True,
+                        "issue_tracker_read_only": False,
                         "issues_default_to_private": False,
                         "notify_on_commit_flag": False,
                         "notify_on_pull-request_flag": False,
@@ -418,6 +419,7 @@ class PagureFlaskApiGroupTests(tests.SimplePagureTest):
                         "always_merge": False,
                         "fedmsg_notifications": True,
                         "issue_tracker": True,
+                        "issue_tracker_read_only": False,
                         "issues_default_to_private": False,
                         "notify_on_commit_flag": False,
                         "notify_on_pull-request_flag": False,
@@ -508,6 +510,7 @@ class PagureFlaskApiGroupTests(tests.SimplePagureTest):
                         "always_merge": False,
                         "fedmsg_notifications": True,
                         "issue_tracker": True,
+                        "issue_tracker_read_only": False,
                         "issues_default_to_private": False,
                         "notify_on_commit_flag": False,
                         "notify_on_pull-request_flag": False,
diff --git a/tests/test_pagure_flask_api_user.py b/tests/test_pagure_flask_api_user.py
index cc7d454..e16a723 100644
--- a/tests/test_pagure_flask_api_user.py
+++ b/tests/test_pagure_flask_api_user.py
@@ -132,6 +132,7 @@ class PagureFlaskApiUSertests(tests.Modeltests):
                         "always_merge": False,
                         "fedmsg_notifications": True,
                         "issue_tracker": True,
+                        "issue_tracker_read_only": False,
                         "issues_default_to_private": False,
                         "notify_on_commit_flag": False,
                         "notify_on_pull-request_flag": False,
@@ -185,6 +186,7 @@ class PagureFlaskApiUSertests(tests.Modeltests):
                         "always_merge": False,
                         "fedmsg_notifications": True,
                         "issue_tracker": True,
+                        "issue_tracker_read_only": False,
                         "issues_default_to_private": False,
                         "notify_on_commit_flag": False,
                         "notify_on_pull-request_flag": False,
@@ -237,6 +239,7 @@ class PagureFlaskApiUSertests(tests.Modeltests):
                         "always_merge": False,
                         "fedmsg_notifications": True,
                         "issue_tracker": True,
+                        "issue_tracker_read_only": False,
                         "issues_default_to_private": False,
                         "notify_on_commit_flag": False,
                         "notify_on_pull-request_flag": False,
diff --git a/tests/test_pagure_flask_ui_issues_read_only.py b/tests/test_pagure_flask_ui_issues_read_only.py
new file mode 100644
index 0000000..689324d
--- /dev/null
+++ b/tests/test_pagure_flask_ui_issues_read_only.py
@@ -0,0 +1,370 @@
+# -*- coding: utf-8 -*-
+
+"""
+ (c) 2018 - Copyright Red Hat Inc
+
+ Authors:
+   Pierre-Yves Chibon <pingou@pingoured.fr>
+
+"""
+
+from __future__ import unicode_literals
+
+import json
+import unittest
+import sys
+import os
+
+from mock import patch, MagicMock
+
+sys.path.insert(0, os.path.join(os.path.dirname(
+    os.path.abspath(__file__)), '..'))
+
+import pagure  # noqa
+import pagure.lib  # noqa
+import tests  # noqa
+
+
+class PagureFlaskIssuesReadOnlytests(tests.Modeltests):
+    """ Tests for flask issues controller of pagure with read-only tickets
+    """
+
+    @patch('pagure.lib.notify.send_email', MagicMock(return_value=True))
+    def setUp(self):
+        """ Set up the environnment, ran before every tests. """
+        super(PagureFlaskIssuesReadOnlytests, self).setUp()
+
+        tests.create_projects(self.session)
+        tests.create_projects_git(os.path.join(self.path, 'repos'))
+
+        # Make the project's issue tracker read-only
+        repo = pagure.lib.get_authorized_project(self.session, 'test')
+        settings = repo.settings
+        settings['issue_tracker_read_only'] = True
+        repo.settings = settings
+        self.session.add(repo)
+        self.session.commit()
+
+        # Create a couple of issue
+        msg = pagure.lib.new_issue(
+            session=self.session,
+            repo=repo,
+            title='Test issue #1',
+            content='We should work on this for the second time',
+            user='foo',
+            status='Open',
+            private=True,
+            ticketfolder=None
+        )
+        self.session.commit()
+        self.assertEqual(msg.title, 'Test issue #1')
+
+        msg = pagure.lib.new_issue(
+            session=self.session,
+            repo=repo,
+            title='Test issue #2',
+            content='We should work on this for the second time',
+            user='foo',
+            status='Open',
+            private=False,
+            ticketfolder=None
+        )
+        self.session.commit()
+        self.assertEqual(msg.title, 'Test issue #2')
+
+    def test_issue_list_authenticated_commit(self):
+        """ Test the list of issues when user is authenticated and has
+        access to the project.
+        """
+
+        user = tests.FakeUser(username='pingou')
+        with tests.user_set(self.app.application, user):
+            output = self.app.get('/test/issues')
+            self.assertEqual(output.status_code, 200)
+            output_text = output.get_data(as_text=True)
+            self.assertIn(
+                '<title>Issues - test - Pagure</title>', output_text)
+            self.assertIn(
+                '<h2>\n      2 Open Issues', output_text)
+
+    def test_field_comment(self):
+        """ Test if the field commit is present on the issue page.
+        """
+        user = tests.FakeUser(username='pingou')
+        with tests.user_set(self.app.application, user):
+            output = self.app.get('/test/issue/1')
+            self.assertEqual(output.status_code, 200)
+            output_text = output.get_data(as_text=True)
+            self.assertIn(
+                '<title>Issue #1: Test issue #1 - test - Pagure</title>',
+                output_text)
+            self.assertNotIn(
+                'value="Update Issue" title="Comment and Update Metadata" '
+                'tabindex=2 />', output_text)
+            self.assertIn(
+                'This issue tracker is read-only.', output_text)
+
+    def test_update_ticket(self):
+        """ Test updating a ticket.
+        """
+        user = tests.FakeUser(username='pingou')
+        with tests.user_set(self.app.application, user):
+            output = self.app.post(
+                '/test/issue/1/update', data={}, follow_redirects=True)
+            self.assertEqual(output.status_code, 401)
+            output_text = output.get_data(as_text=True)
+            self.assertIn(
+                '<title>Unauthorized :\'( - Pagure</title>', output_text)
+            self.assertIn(
+                '<p>The issue tracker for this project is read-only</p>',
+                output_text)
+
+    def test_edit_comment(self):
+        """ Test editing a comment from a ticket.
+        """
+        user = tests.FakeUser(username='pingou')
+        with tests.user_set(self.app.application, user):
+            output = self.app.post(
+                '/test/issue/1/comment/1/edit', data={},
+                follow_redirects=True)
+            self.assertEqual(output.status_code, 401)
+            output_text = output.get_data(as_text=True)
+            self.assertIn(
+                '<title>Unauthorized :\'( - Pagure</title>', output_text)
+            self.assertIn(
+                '<p>The issue tracker for this project is read-only</p>',
+                output_text)
+
+    def test_edit_ticket(self):
+        """ Test editing a ticket.
+        """
+        user = tests.FakeUser(username='pingou')
+        with tests.user_set(self.app.application, user):
+            output = self.app.post(
+                '/test/issue/1/edit', data={}, follow_redirects=True)
+            self.assertEqual(output.status_code, 401)
+            output_text = output.get_data(as_text=True)
+            self.assertIn(
+                '<title>Unauthorized :\'( - Pagure</title>', output_text)
+            self.assertIn(
+                '<p>The issue tracker for this project is read-only</p>',
+                output_text)
+
+    def test_edit_tag(self):
+        """ Test editing a ticket tag.
+        """
+        user = tests.FakeUser(username='pingou')
+        with tests.user_set(self.app.application, user):
+            output = self.app.post('/test/tag/tag1/edit', data={})
+            self.assertEqual(output.status_code, 401)
+            output_text = output.get_data(as_text=True)
+            self.assertIn(
+                '<title>Unauthorized :\'( - Pagure</title>', output_text)
+            self.assertIn(
+                '<p>The issue tracker for this project is read-only</p>',
+                output_text)
+
+    def test_update_tags(self):
+        """ Test updating a ticket tag.
+        """
+        user = tests.FakeUser(username='pingou')
+        with tests.user_set(self.app.application, user):
+            output = self.app.post('/test/update/tags', data={})
+            self.assertEqual(output.status_code, 401)
+            output_text = output.get_data(as_text=True)
+            self.assertIn(
+                '<title>Unauthorized :\'( - Pagure</title>', output_text)
+            self.assertIn(
+                '<p>The issue tracker for this project is read-only</p>',
+                output_text)
+
+    def test_drop_tags(self):
+        """ Test dropping a ticket tag.
+        """
+        user = tests.FakeUser(username='pingou')
+        with tests.user_set(self.app.application, user):
+            output = self.app.post('/test/droptag/', data={})
+            self.assertEqual(output.status_code, 401)
+            output_text = output.get_data(as_text=True)
+            self.assertIn(
+                '<title>Unauthorized :\'( - Pagure</title>', output_text)
+            self.assertIn(
+                '<p>The issue tracker for this project is read-only</p>',
+                output_text)
+
+    def test_new_issue(self):
+        """ Test creating a new ticket.
+        """
+        user = tests.FakeUser(username='pingou')
+        with tests.user_set(self.app.application, user):
+            output = self.app.post('/test/new_issue/', data={})
+            self.assertEqual(output.status_code, 401)
+            output_text = output.get_data(as_text=True)
+            self.assertIn(
+                '<title>Unauthorized :\'( - Pagure</title>', output_text)
+            self.assertIn(
+                '<p>The issue tracker for this project is read-only</p>',
+                output_text)
+
+    def test_deleting_issue(self):
+        """ Test deleting a new ticket.
+        """
+        user = tests.FakeUser(username='pingou')
+        with tests.user_set(self.app.application, user):
+            output = self.app.post('/test/issue/1/drop', data={})
+            self.assertEqual(output.status_code, 401)
+            output_text = output.get_data(as_text=True)
+            self.assertIn(
+                '<title>Unauthorized :\'( - Pagure</title>', output_text)
+            self.assertIn(
+                '<p>The issue tracker for this project is read-only</p>',
+                output_text)
+
+    def test_uploading_to_issue(self):
+        """ Test uploading to a new ticket.
+        """
+        user = tests.FakeUser(username='pingou')
+        with tests.user_set(self.app.application, user):
+            output = self.app.post('/test/issue/1/upload', data={})
+            self.assertEqual(output.status_code, 401)
+            output_text = output.get_data(as_text=True)
+            self.assertIn(
+                '<title>Unauthorized :\'( - Pagure</title>', output_text)
+            self.assertIn(
+                '<p>The issue tracker for this project is read-only</p>',
+                output_text)
+
+
+class PagureFlaskAPIIssuesReadOnlytests(PagureFlaskIssuesReadOnlytests):
+    """ Tests for flask API issues controller of pagure with read-only tickets
+    """
+
+    @patch('pagure.lib.notify.send_email', MagicMock(return_value=True))
+    def setUp(self):
+        """ Set up the environnment, ran before every tests. """
+        super(PagureFlaskAPIIssuesReadOnlytests, self).setUp()
+
+    def test_api_new_issue(self):
+        """ Test creating a new ticket.
+        """
+        user = tests.FakeUser(username='pingou')
+        with tests.user_set(self.app.application, user):
+            output = self.app.post('/api/0/test/new_issue', data={})
+            self.assertEqual(output.status_code, 401)
+            data = json.loads(output.get_data(as_text=True))
+            self.assertEqual(
+                data,
+                {
+                    u'error': u'The issue tracker of this project is read-only',
+                    u'error_code': u'ETRACKERREADONLY'
+                }
+            )
+
+    def test_api_change_status_issue(self):
+        """ Test closing a ticket. """
+        user = tests.FakeUser(username='pingou')
+        with tests.user_set(self.app.application, user):
+            output = self.app.post('/api/0/test/issue/1/status', data={})
+            self.assertEqual(output.status_code, 401)
+            data = json.loads(output.get_data(as_text=True))
+            self.assertEqual(
+                data,
+                {
+                    u'error': u'The issue tracker of this project is read-only',
+                    u'error_code': u'ETRACKERREADONLY'
+                }
+            )
+
+    def test_api_change_milestone_issue(self):
+        """ Test change the milestone of a ticket. """
+        user = tests.FakeUser(username='pingou')
+        with tests.user_set(self.app.application, user):
+            output = self.app.post('/api/0/test/issue/1/milestone', data={})
+            self.assertEqual(output.status_code, 401)
+            data = json.loads(output.get_data(as_text=True))
+            self.assertEqual(
+                data,
+                {
+                    u'error': u'The issue tracker of this project is read-only',
+                    u'error_code': u'ETRACKERREADONLY'
+                }
+            )
+
+    def test_api_comment_issue(self):
+        """ Test comment on a ticket. """
+        user = tests.FakeUser(username='pingou')
+        with tests.user_set(self.app.application, user):
+            output = self.app.post('/api/0/test/issue/1/comment', data={})
+            self.assertEqual(output.status_code, 401)
+            data = json.loads(output.get_data(as_text=True))
+            self.assertEqual(
+                data,
+                {
+                    u'error': u'The issue tracker of this project is read-only',
+                    u'error_code': u'ETRACKERREADONLY'
+                }
+            )
+
+    def test_api_assign_issue(self):
+        """ Test assigning a ticket. """
+        user = tests.FakeUser(username='pingou')
+        with tests.user_set(self.app.application, user):
+            output = self.app.post('/api/0/test/issue/1/assign', data={})
+            self.assertEqual(output.status_code, 401)
+            data = json.loads(output.get_data(as_text=True))
+            self.assertEqual(
+                data,
+                {
+                    u'error': u'The issue tracker of this project is read-only',
+                    u'error_code': u'ETRACKERREADONLY'
+                }
+            )
+
+    def test_api_subscribe_issue(self):
+        """ Test subscribing to a ticket. """
+        user = tests.FakeUser(username='pingou')
+        with tests.user_set(self.app.application, user):
+            output = self.app.post('/api/0/test/issue/1/subscribe', data={})
+            self.assertEqual(output.status_code, 401)
+            data = json.loads(output.get_data(as_text=True))
+            self.assertEqual(
+                data,
+                {
+                    u'error': u'The issue tracker of this project is read-only',
+                    u'error_code': u'ETRACKERREADONLY'
+                }
+            )
+
+    def test_api_update_custom_field(self):
+        """ Test updating a specific custom fields on a ticket. """
+        user = tests.FakeUser(username='pingou')
+        with tests.user_set(self.app.application, user):
+            output = self.app.post('/api/0/test/issue/1/custom/foo', data={})
+            self.assertEqual(output.status_code, 401)
+            data = json.loads(output.get_data(as_text=True))
+            self.assertEqual(
+                data,
+                {
+                    u'error': u'The issue tracker of this project is read-only',
+                    u'error_code': u'ETRACKERREADONLY'
+                }
+            )
+
+    def test_api_update_custom_fields(self):
+        """ Test updating custom fields on a ticket. """
+        user = tests.FakeUser(username='pingou')
+        with tests.user_set(self.app.application, user):
+            output = self.app.post('/api/0/test/issue/1/custom', data={})
+            self.assertEqual(output.status_code, 401)
+            data = json.loads(output.get_data(as_text=True))
+            self.assertEqual(
+                data,
+                {
+                    u'error': u'The issue tracker of this project is read-only',
+                    u'error_code': u'ETRACKERREADONLY'
+                }
+            )
+
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)
diff --git a/tests/test_pagure_lib_git.py b/tests/test_pagure_lib_git.py
index 1892b8a..82dffd0 100644
--- a/tests/test_pagure_lib_git.py
+++ b/tests/test_pagure_lib_git.py
@@ -1853,7 +1853,7 @@ new file mode 100644
 index 0000000..60f7480
 --- /dev/null
 +++ b/456
-@@ -0,0 +1,139 @@
+@@ -0,0 +1,141 @@
 +{
 +    "assignee": null,
 +    "branch": "master",
@@ -1902,6 +1902,7 @@ index 0000000..60f7480
 +            "always_merge": false,
 +            "fedmsg_notifications": true,
 +            "issue_tracker": true,
++            "issue_tracker_read_only": false,
 +            "issues_default_to_private": false,
 +            "notify_on_commit_flag": false,
 +            "notify_on_pull-request_flag": false,
@@ -1958,6 +1959,7 @@ index 0000000..60f7480
 +            "always_merge": false,
 +            "fedmsg_notifications": true,
 +            "issue_tracker": true,
++            "issue_tracker_read_only": false,
 +            "issues_default_to_private": false,
 +            "notify_on_commit_flag": false,
 +            "notify_on_pull-request_flag": false,