Barry Warsaw pushed to branch release-3.0 at mailman / Mailman
Commits:
adfd3ca3 by Barry Warsaw at 2016-02-07T22:51:21-05:00
Prevent moderation of messages held for a different list.
Closes: #161
- - - - -
73b66fd2 by Barry Warsaw at 2016-02-07T22:55:55-05:00
Move NEWS to the correct section.
- - - - -
4 changed files:
- src/mailman/docs/NEWS.rst
- src/mailman/model/requests.py
- src/mailman/model/tests/test_requests.py
- src/mailman/rest/tests/test_moderation.py
Changes:
=====================================
src/mailman/docs/NEWS.rst
=====================================
--- a/src/mailman/docs/NEWS.rst
+++ b/src/mailman/docs/NEWS.rst
@@ -24,6 +24,7 @@ Bugs
store. Given by Aurélien Bompard, tweaked by Barry Warsaw. (Closes: #167)
* Fix membership query when multiple users are subscribed to a mailing list.
Reported by Darrell Kresge. (Closes: #190)
+ * Prevent moderation of messages held for a different list. (Closes: #161)
Interfaces
----------
=====================================
src/mailman/model/requests.py
=====================================
--- a/src/mailman/model/requests.py
+++ b/src/mailman/model/requests.py
@@ -112,7 +112,7 @@ class ListRequests:
@dbconnection
def get_request(self, store, request_id, request_type=None):
result = store.query(_Request).get(request_id)
- if result is None:
+ if result is None or result.mailing_list != self.mailing_list:
return None
if request_type is not None and result.request_type != request_type:
return None
=====================================
src/mailman/model/tests/test_requests.py
=====================================
--- a/src/mailman/model/tests/test_requests.py
+++ b/src/mailman/model/tests/test_requests.py
@@ -74,3 +74,10 @@ Something else.
with self.assertRaises(KeyError) as cm:
self._requests_db.delete_request(801)
self.assertEqual(cm.exception.args[0], 801)
+
+ def test_only_return_this_lists_requests(self):
+ # Issue #161: get_requests() returns requests that are not specific to
+ # the mailing list in question.
+ request_id = hold_message(self._mlist, self._msg)
+ bee = create_list('[email protected]')
+ self.assertIsNone(IListRequests(bee).get_request(request_id))
=====================================
src/mailman/rest/tests/test_moderation.py
=====================================
--- a/src/mailman/rest/tests/test_moderation.py
+++ b/src/mailman/rest/tests/test_moderation.py
@@ -97,6 +97,29 @@ Something else.
call_api(url, dict(action='discard'))
self.assertEqual(cm.exception.code, 404)
+ def test_cant_get_other_lists_holds(self):
+ # Issue #161: It was possible to moderate a held message for another
+ # list via the REST API.
+ with transaction():
+ held_id = hold_message(self._mlist, self._msg)
+ create_list('[email protected]')
+ with self.assertRaises(HTTPError) as cm:
+ call_api('http://localhost:9001/3.0/lists/bee.example.com'
+ '/held/{}'.format(held_id))
+ self.assertEqual(cm.exception.code, 404)
+
+ def test_cant_moderate_other_lists_holds(self):
+ # Issue #161: It was possible to moderate a held message for another
+ # list via the REST API.
+ with transaction():
+ held_id = hold_message(self._mlist, self._msg)
+ create_list('[email protected]')
+ with self.assertRaises(HTTPError) as cm:
+ call_api('http://localhost:9001/3.0/lists/bee.example.com'
+ '/held/{}'.format(held_id),
+ dict(action='discard'))
+ self.assertEqual(cm.exception.code, 404)
+
�
class TestSubscriptionModeration(unittest.TestCase):
View it on GitLab:
https://gitlab.com/mailman/mailman/compare/14746ad252ce8d4bcea8a4b1d8bee392da281b04...73b66fd22fab87c064baee28b91dfa77f20d9050
_______________________________________________
Mailman-checkins mailing list
[email protected]
Unsubscribe:
https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org
