Guruprasad has proposed merging ~lgp171188/launchpad:restrict-project-announcement-forms-to-legitimate-users into launchpad:master.
Commit message: Restrict the 'Add announcement' form access to legitimate pillar owners Also hide the 'Make announcement' link on the pillar's 'News and announcements' page. Requested reviews: Launchpad code reviewers (launchpad-reviewers) For more details, see: https://code.launchpad.net/~lgp171188/launchpad/+git/launchpad/+merge/439224 -- Your team Launchpad code reviewers is requested to review the proposed merge of ~lgp171188/launchpad:restrict-project-announcement-forms-to-legitimate-users into launchpad:master.
diff --git a/lib/lp/registry/browser/announcement.py b/lib/lp/registry/browser/announcement.py index 870e36c..0fdf84c 100644 --- a/lib/lp/registry/browser/announcement.py +++ b/lib/lp/registry/browser/announcement.py @@ -18,6 +18,7 @@ __all__ = [ from zope.interface import Interface, implementer from zope.schema import Choice, TextLine +from zope.security.interfaces import Unauthorized from lp import _ from lp.app.browser.launchpadform import LaunchpadFormView, action @@ -83,7 +84,10 @@ class AnnouncementMenuMixin: def announce(self): text = "Make announcement" summary = "Create an item of news for this project" - return Link("+announce", text, summary, icon="add") + link = Link("+announce", text, summary, icon="add") + if not current_user_can_announce(self.context): + link.enabled = False + return link class AnnouncementEditNavigationMenu(NavigationMenu, AnnouncementMenuMixin): @@ -145,6 +149,11 @@ class AnnouncementAddView(LaunchpadFormView): custom_widget_publication_date = AnnouncementDateWidget + def initialize(self): + if not check_permission("launchpad.AnyLegitimatePerson", self.context): + raise Unauthorized + super().initialize() + @action(_("Make announcement"), name="announce") def announce_action(self, action, data): """Registers a new announcement.""" diff --git a/lib/lp/registry/stories/announcements/xx-announcements.rst b/lib/lp/registry/stories/announcements/xx-announcements.rst index dd9de2f..9161479 100644 --- a/lib/lp/registry/stories/announcements/xx-announcements.rst +++ b/lib/lp/registry/stories/announcements/xx-announcements.rst @@ -116,25 +116,69 @@ account with sufficient karma (config.launchpad.min_legitimate_karma). Traceback (most recent call last): ... zope.testbrowser.browser.LinkNotFoundError + >>> new_user_browser.open( + ... "http://launchpad.test/new-product/+announcements" + ... ) + >>> new_user_browser.getLink("Make announcement") + Traceback (most recent call last): + ... + zope.testbrowser.browser.LinkNotFoundError >>> new_user_browser.open("http://launchpad.test/new-distribution") >>> new_user_browser.getLink("Make announcement") Traceback (most recent call last): ... zope.testbrowser.browser.LinkNotFoundError + >>> new_user_browser.open( + ... "http://launchpad.test/new-distribution/+announcements" + ... ) + >>> new_user_browser.getLink("Make announcement") + Traceback (most recent call last): + ... + zope.testbrowser.browser.LinkNotFoundError >>> new_user_browser.open("http://launchpad.test/new-project") >>> new_user_browser.getLink("Make announcement") Traceback (most recent call last): ... zope.testbrowser.browser.LinkNotFoundError - >>> _ = config.pop("legitimate person") + >>> new_user_browser.open( + ... "http://launchpad.test/new-project/+announcements" + ... ) + >>> new_user_browser.getLink("Make announcement") + Traceback (most recent call last): + ... + zope.testbrowser.browser.LinkNotFoundError + +Only the users who can view the 'Make announcement' link can access the +'Add announcement' form. + + >>> new_user_browser.open("http://launchpad.test/new-product/+announce") + Traceback (most recent call last): + ... + zope.security.interfaces.Unauthorized + + >>> new_user_browser.open("http://launchpad.test/new-project/+announce") + Traceback (most recent call last): + ... + zope.security.interfaces.Unauthorized + + >>> new_user_browser.open( + ... "http://launchpad.test/new-distribution/+announce" + ... ) + Traceback (most recent call last): + ... + zope.security.interfaces.Unauthorized >>> priv_browser = setupBrowser(auth="Basic m...@example.com:test") >>> priv_browser.open("http://launchpad.test/ubuntu") >>> link = priv_browser.getLink("Make announcement") >>> print(link.text) Make announcement + >>> link.click() + >>> print(priv_browser.url) + http://launchpad.test/ubuntu/+announce + >>> priv_browser.goBack() >>> priv_browser.getLink("Read all announcements").click() >>> link = priv_browser.getLink("Make announcement") @@ -150,7 +194,11 @@ account with sufficient karma (config.launchpad.min_legitimate_karma). >>> link = priv_browser.getLink("Make announcement") >>> print(link.text) Make announcement + >>> link.click() + >>> print(priv_browser.url) + http://launchpad.test/firefox/+announce + >>> _ = config.pop("legitimate person") Following the action link takes you to a form where you can make the announcement:
_______________________________________________ Mailing list: https://launchpad.net/~launchpad-reviewers Post to : launchpad-reviewers@lists.launchpad.net Unsubscribe : https://launchpad.net/~launchpad-reviewers More help : https://help.launchpad.net/ListHelp