Repository: allura
Updated Branches:
  refs/heads/master 7160b3427 -> 557b09ac6


[#4841] Prevents anonymous users from editing other anon comments, including 
their own.


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/557b09ac
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/557b09ac
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/557b09ac

Branch: refs/heads/master
Commit: 557b09ac6ed6183e53dfa2b6fb8bb43f5fa40ec6
Parents: 7160b34
Author: Kenton Taylor <ktay...@slashdotmedia.com>
Authored: Wed Feb 21 11:45:20 2018 -0500
Committer: Dave Brondsema <d...@brondsema.net>
Committed: Fri Feb 23 11:57:12 2018 -0500

----------------------------------------------------------------------
 Allura/allura/app.py                            |  2 +-
 Allura/allura/model/discuss.py                  |  5 +-
 .../tests/functional/test_forum.py              | 17 +++++
 .../033-change-comment-anon-permissions.py      | 66 ++++++++++++++++++++
 4 files changed, 87 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/557b09ac/Allura/allura/app.py
----------------------------------------------------------------------
diff --git a/Allura/allura/app.py b/Allura/allura/app.py
index 8db59dd..07b67d8 100644
--- a/Allura/allura/app.py
+++ b/Allura/allura/app.py
@@ -271,7 +271,7 @@ class Application(object):
     permissions_desc = {
         'unmoderated_post': 'Post comments without moderation.',
         'post': 'Post comments, subject to moderation.',
-        'moderate': 'Moderate comments.',
+        'moderate': 'Approve and edit all comments.',
         'configure': 'Set label and options. Requires admin permission.',
         'admin': 'Set permissions.',
     }

http://git-wip-us.apache.org/repos/asf/allura/blob/557b09ac/Allura/allura/model/discuss.py
----------------------------------------------------------------------
diff --git a/Allura/allura/model/discuss.py b/Allura/allura/model/discuss.py
index aff6607..32cf68e 100644
--- a/Allura/allura/model/discuss.py
+++ b/Allura/allura/model/discuss.py
@@ -726,8 +726,9 @@ class Post(Message, VersionedArtifact, ActivityObject):
         author = self.author()
         author_role = ProjectRole.by_user(
             author, project=self.project, upsert=True)
-        security.simple_grant(
-            self.acl, author_role._id, 'moderate')
+        if not author.is_anonymous():
+            security.simple_grant(
+                self.acl, author_role._id, 'moderate')
         self.commit()
         if (c.app.config.options.get('PostingPolicy') == 'ApproveOnceModerated'
                 and author._id != None):

http://git-wip-us.apache.org/repos/asf/allura/blob/557b09ac/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py
----------------------------------------------------------------------
diff --git a/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py 
b/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py
index 7a55965..3f20911 100644
--- a/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py
+++ b/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py
@@ -523,6 +523,7 @@ class TestForum(TestController):
         assert 'name="delete"' not in r
         assert 'name="approve"' not in r
         assert 'name="spam"' not in r
+        assert "Post content" not in r
         assert_equal(spam_checker.check.call_args[0][0], 'Test Thread\nPost 
content')
 
         # assert unapproved thread replies do not appear
@@ -559,6 +560,22 @@ class TestForum(TestController):
         link = '<a href="%s">[%s]</a>' % (post2.thread.url() + '?limit=25#' + 
post2.slug, post2.shorthand_id())
         assert link in r, link
 
+        # approve posts
+        r = self.app.post('/discussion/testforum/moderate/save_moderation', 
params={
+            'post-0._id': post._id,
+            'post-0.checked': 'on',
+            'approve': 'Approve Marked'})
+        post = FM.ForumPost.query.get(text='Post content')
+
+        # assert anon can't edit their original post
+        r = self.app.get(thread.request.url,
+                    extra_environ=dict(username='*anonymous'))
+        assert 'Post content' in r
+        post_container = r.html.find('div', {'id': post.slug})
+        btn_edit = post_container.find('a', {'title': 'Edit'})
+        assert not btn_edit
+
+
     @td.with_tool('test2', 'Discussion', 'discussion')
     @mock.patch('allura.model.discuss.g.spam_checker')
     def test_is_spam(self, spam_checker):

http://git-wip-us.apache.org/repos/asf/allura/blob/557b09ac/scripts/migrations/033-change-comment-anon-permissions.py
----------------------------------------------------------------------
diff --git a/scripts/migrations/033-change-comment-anon-permissions.py 
b/scripts/migrations/033-change-comment-anon-permissions.py
new file mode 100644
index 0000000..b5a710c
--- /dev/null
+++ b/scripts/migrations/033-change-comment-anon-permissions.py
@@ -0,0 +1,66 @@
+#       Licensed to the Apache Software Foundation (ASF) under one
+#       or more contributor license agreements.  See the NOTICE file
+#       distributed with this work for additional information
+#       regarding copyright ownership.  The ASF licenses this file
+#       to you under the Apache License, Version 2.0 (the
+#       "License"); you may not use this file except in compliance
+#       with the License.  You may obtain a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#       Unless required by applicable law or agreed to in writing,
+#       software distributed under the License is distributed on an
+#       "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#       KIND, either express or implied.  See the License for the
+#       specific language governing permissions and limitations
+#       under the License.
+
+import sys
+import logging
+from ming.orm import ThreadLocalORMSession, session
+from pylons import tmpl_context as c
+from allura import model as M
+from forgediscussion.model import ForumPost
+from allura.lib import utils, security
+from argparse import ArgumentParser, ArgumentDefaultsHelpFormatter, 
ArgumentTypeError
+
+
+log = logging.getLogger(__name__)
+
+
+def arguments():
+    parser = ArgumentParser(description="Args for changing anon comment 
permissions",
+                            formatter_class=ArgumentDefaultsHelpFormatter, )
+    parser.add_argument('shortname', help="shortname of project to change 
perms on")
+    parser.add_argument('toolname', help="toolname to change perms on")
+
+    args = parser.parse_args()
+    return args
+
+
+def main():
+    args = arguments()
+    
+    c.project = None # to avoid error in Artifact.__mongometa__.before_save
+    project = M.Project.query.get(shortname=args.shortname)
+    tool = project.app_config_by_tool_type(args.toolname)
+
+    for chunk in utils.chunked_find(ForumPost, {'app_config_id':tool._id}):
+        for p in chunk:
+            has_access = bool(security.has_access(p, 'moderate', 
M.User.anonymous()))
+
+            if has_access:
+                anon_role_id = None
+                for acl in p.acl:
+                    # find the anon moderate acl
+                    if acl.permission == 'moderate' and acl.access=='ALLOW':
+                        anon_role_id = acl.role_id
+
+                if anon_role_id:
+                    print "revoking anon moderate privelege for 
'{}'".format(p._id)
+                    security.simple_revoke(p.acl, anon_role_id, 'moderate')
+                    session(p).flush(p)
+
+
+if __name__ == '__main__':
+    main()

Reply via email to