This is an automated email from the ASF dual-hosted git repository. dill0wn pushed a commit to branch dw/no_private_projects in repository https://gitbox.apache.org/repos/asf/allura.git
commit 0f73d4a80349b6054c6e99ce836d1a6b96c69e95 Author: Dillon Walls <[email protected]> AuthorDate: Wed Apr 7 13:56:36 2021 +0000 Prevent private projects by disallowing access to 'permissions' page --- Allura/allura/ext/admin/admin_main.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/Allura/allura/ext/admin/admin_main.py b/Allura/allura/ext/admin/admin_main.py index 26380b2..7ef8842 100644 --- a/Allura/allura/ext/admin/admin_main.py +++ b/Allura/allura/ext/admin/admin_main.py @@ -43,7 +43,7 @@ from allura.app import Application, DefaultAdminController, SitemapEntry from allura.lib import helpers as h from allura import version from allura import model as M -from allura.lib.security import has_access, require_access +from allura.lib.security import has_access, require_access, is_site_admin from allura.lib.widgets import form_fields as ffw from allura.lib import exceptions as forge_exc from allura.lib import plugin @@ -967,6 +967,13 @@ class ProjectAdminRestController(BaseController): class PermissionsController(BaseController): def _check_security(self): + # Do not allow access to 'permissions' page for root projects. + # Users should use 'groups' instead. This is to prevent creating 'private' projects + # - subprojects are still allowed. + # - site admins are still allowed. + # - tools pages are also still allowed, but are in a different controller + if c.project.is_root and not is_site_admin(c.user): + redirect('../groups') require_access(c.project, 'admin') @with_trailing_slash
