Barry Warsaw pushed to branch master at mailman / Mailman
Commits:
407adc0e by Barry Warsaw at 2016-02-07T17:47:15-05:00
Prevent moderation of messages held for a different list.
Closes: #161
- - - - -
4 changed files:
- src/mailman/docs/NEWS.rst
- src/mailman/model/requests.py
- src/mailman/model/tests/test_requests.py
- src/mailman/rest/tests/test_moderation.py
Changes:
=====================================
src/mailman/docs/NEWS.rst
=====================================
--- a/src/mailman/docs/NEWS.rst
+++ b/src/mailman/docs/NEWS.rst
@@ -58,6 +58,7 @@ Bugs
address. (Closes #185)
* Fix membership query when multiple users are subscribed to a mailing list.
Reported by Darrell Kresge. (Closes: #190)
+ * Prevent moderation of messages held for a different list. (Closes: #161)
Configuration
-------------
=====================================
src/mailman/model/requests.py
=====================================
--- a/src/mailman/model/requests.py
+++ b/src/mailman/model/requests.py
@@ -113,7 +113,7 @@ class ListRequests:
@dbconnection
def get_request(self, store, request_id, request_type=None):
result = store.query(_Request).get(request_id)
- if result is None:
+ if result is None or result.mailing_list != self.mailing_list:
return None
if request_type is not None and result.request_type != request_type:
return None
=====================================
src/mailman/model/tests/test_requests.py
=====================================
--- a/src/mailman/model/tests/test_requests.py
+++ b/src/mailman/model/tests/test_requests.py
@@ -74,3 +74,10 @@ Something else.
with self.assertRaises(KeyError) as cm:
self._requests_db.delete_request(801)
self.assertEqual(cm.exception.args[0], 801)
+
+ def test_only_return_this_lists_requests(self):
+ # Issue #161: get_requests() returns requests that are not specific to
+ # the mailing list in question.
+ request_id = hold_message(self._mlist, self._msg)
+ bee = create_list('[email protected]')
+ self.assertIsNone(IListRequests(bee).get_request(request_id))
=====================================
src/mailman/rest/tests/test_moderation.py
=====================================
--- a/src/mailman/rest/tests/test_moderation.py
+++ b/src/mailman/rest/tests/test_moderation.py
@@ -126,6 +126,29 @@ Something else.
self.assertEqual(content['total_size'], 1)
self.assertEqual(content['entries'][0]['request_id'], held_id)
+ def test_cant_get_other_lists_holds(self):
+ # Issue #161: It was possible to moderate a held message for another
+ # list via the REST API.
+ with transaction():
+ held_id = hold_message(self._mlist, self._msg)
+ create_list('[email protected]')
+ with self.assertRaises(HTTPError) as cm:
+ call_api('http://localhost:9001/3.0/lists/bee.example.com'
+ '/held/{}'.format(held_id))
+ self.assertEqual(cm.exception.code, 404)
+
+ def test_cant_moderate_other_lists_holds(self):
+ # Issue #161: It was possible to moderate a held message for another
+ # list via the REST API.
+ with transaction():
+ held_id = hold_message(self._mlist, self._msg)
+ create_list('[email protected]')
+ with self.assertRaises(HTTPError) as cm:
+ call_api('http://localhost:9001/3.0/lists/bee.example.com'
+ '/held/{}'.format(held_id),
+ dict(action='discard'))
+ self.assertEqual(cm.exception.code, 404)
+
�
class TestSubscriptionModeration(unittest.TestCase):
View it on GitLab:
https://gitlab.com/mailman/mailman/commit/407adc0e44c7487e78643c5185c49f1a1bedd7d6
_______________________________________________
Mailman-checkins mailing list
[email protected]
Unsubscribe:
https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org
