Most usage of `Feed` for display is via `FeedController` which will be mounted on a tool, so project-level and tool-level security will be there and prevent public viewing of private things. Except for when the artifact itself is what is private (e.g. a private ticket)
Another part is the `[[neighborhood_feeds]]` macro. [e3bfcbbda3aff23680cf5c25496326aafd9d9788] originally did permission checks by creating all the Feed items and then filtering them by permission. It was reverted for unknown reasons and replaced with the permission check at create-time. There is also the `[[neighborhood_blog_posts]]` macro which doesn't use feeds and could potentially replace `[[neighborhood_feeds]]` in many cases. To ensure private tickets and the `[[neighborhood_feeds]]` keep working how they are now, and for simplicity, I think we should just keep the current implementation of checking permissions at create-time. --- ** [tickets:#8167] errors when updating blog post, if feed item doesn't exist** **Status:** open **Milestone:** unreleased **Created:** Fri Oct 06, 2017 08:47 PM UTC by Dave Brondsema **Last Updated:** Fri Oct 06, 2017 08:51 PM UTC **Owner:** nobody If you create a blog post with project/tool permissions such that the public cannot read it, then the "feed" item is not created (see `Feed.post` method). After that if you go to delete or edit the blog post, it errors out because it tries to do update the feed item also. ``` File '/var/local/allura/ForgeBlog/forgeblog/main.py', line 413 in save self.post.commit() File '/var/local/allura/ForgeBlog/forgeblog/model/blog.py', line 261 in commit feed_item.title = self.title AttributeError: 'NoneType' object has no attribute 'title' File '/var/local/allura/Allura/allura/lib/patches.py', line 80 in without_trailing_slash return func(*args, **kwargs) File '/var/local/allura/ForgeBlog/forgeblog/main.py', line 405 in save self.post.delete() File '/var/local/allura/ForgeBlog/forgeblog/model/blog.py', line 313 in delete self.feed_item().delete() AttributeError: 'NoneType' object has no attribute 'delete' ``` ``` File '/var/local/allura/Allura/allura/lib/patches.py', line 80 in without_trailing_slash return func(*args, **kwargs) File '/var/local/allura/ForgeBlog/forgeblog/main.py', line 413 in save self.post.commit() File '/var/local/allura/ForgeBlog/forgeblog/model/blog.py', line 261 in commit feed_item.title = self.title AttributeError: 'NoneType' object has no attribute 'title' ``` --- Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
