Guruprasad has proposed merging
~lgp171188/launchpad:restrict-project-announcement-forms-to-legitimate-users
into launchpad:master.
Commit message:
Restrict the 'Add announcement' form access to legitimate pillar owners
Also hide the 'Make announcement' link on the pillar's
'News and announcements' page.
Requested reviews:
Launchpad code reviewers (launchpad-reviewers)
For more details, see:
https://code.launchpad.net/~lgp171188/launchpad/+git/launchpad/+merge/439224
--
Your team Launchpad code reviewers is requested to review the proposed merge of
~lgp171188/launchpad:restrict-project-announcement-forms-to-legitimate-users
into launchpad:master.
diff --git a/lib/lp/registry/browser/announcement.py b/lib/lp/registry/browser/announcement.py
index 870e36c..0fdf84c 100644
--- a/lib/lp/registry/browser/announcement.py
+++ b/lib/lp/registry/browser/announcement.py
@@ -18,6 +18,7 @@ __all__ = [
from zope.interface import Interface, implementer
from zope.schema import Choice, TextLine
+from zope.security.interfaces import Unauthorized
from lp import _
from lp.app.browser.launchpadform import LaunchpadFormView, action
@@ -83,7 +84,10 @@ class AnnouncementMenuMixin:
def announce(self):
text = "Make announcement"
summary = "Create an item of news for this project"
- return Link("+announce", text, summary, icon="add")
+ link = Link("+announce", text, summary, icon="add")
+ if not current_user_can_announce(self.context):
+ link.enabled = False
+ return link
class AnnouncementEditNavigationMenu(NavigationMenu, AnnouncementMenuMixin):
@@ -145,6 +149,11 @@ class AnnouncementAddView(LaunchpadFormView):
custom_widget_publication_date = AnnouncementDateWidget
+ def initialize(self):
+ if not check_permission("launchpad.AnyLegitimatePerson", self.context):
+ raise Unauthorized
+ super().initialize()
+
@action(_("Make announcement"), name="announce")
def announce_action(self, action, data):
"""Registers a new announcement."""
diff --git a/lib/lp/registry/stories/announcements/xx-announcements.rst b/lib/lp/registry/stories/announcements/xx-announcements.rst
index dd9de2f..9161479 100644
--- a/lib/lp/registry/stories/announcements/xx-announcements.rst
+++ b/lib/lp/registry/stories/announcements/xx-announcements.rst
@@ -116,25 +116,69 @@ account with sufficient karma (config.launchpad.min_legitimate_karma).
Traceback (most recent call last):
...
zope.testbrowser.browser.LinkNotFoundError
+ >>> new_user_browser.open(
+ ... "http://launchpad.test/new-product/+announcements";
+ ... )
+ >>> new_user_browser.getLink("Make announcement")
+ Traceback (most recent call last):
+ ...
+ zope.testbrowser.browser.LinkNotFoundError
>>> new_user_browser.open("http://launchpad.test/new-distribution";)
>>> new_user_browser.getLink("Make announcement")
Traceback (most recent call last):
...
zope.testbrowser.browser.LinkNotFoundError
+ >>> new_user_browser.open(
+ ... "http://launchpad.test/new-distribution/+announcements";
+ ... )
+ >>> new_user_browser.getLink("Make announcement")
+ Traceback (most recent call last):
+ ...
+ zope.testbrowser.browser.LinkNotFoundError
>>> new_user_browser.open("http://launchpad.test/new-project";)
>>> new_user_browser.getLink("Make announcement")
Traceback (most recent call last):
...
zope.testbrowser.browser.LinkNotFoundError
- >>> _ = config.pop("legitimate person")
+ >>> new_user_browser.open(
+ ... "http://launchpad.test/new-project/+announcements";
+ ... )
+ >>> new_user_browser.getLink("Make announcement")
+ Traceback (most recent call last):
+ ...
+ zope.testbrowser.browser.LinkNotFoundError
+
+Only the users who can view the 'Make announcement' link can access the
+'Add announcement' form.
+
+ >>> new_user_browser.open("http://launchpad.test/new-product/+announce";)
+ Traceback (most recent call last):
+ ...
+ zope.security.interfaces.Unauthorized
+
+ >>> new_user_browser.open("http://launchpad.test/new-project/+announce";)
+ Traceback (most recent call last):
+ ...
+ zope.security.interfaces.Unauthorized
+
+ >>> new_user_browser.open(
+ ... "http://launchpad.test/new-distribution/+announce";
+ ... )
+ Traceback (most recent call last):
+ ...
+ zope.security.interfaces.Unauthorized
>>> priv_browser = setupBrowser(auth="Basic m...@example.com:test")
>>> priv_browser.open("http://launchpad.test/ubuntu";)
>>> link = priv_browser.getLink("Make announcement")
>>> print(link.text)
Make announcement
+ >>> link.click()
+ >>> print(priv_browser.url)
+ http://launchpad.test/ubuntu/+announce
+ >>> priv_browser.goBack()
>>> priv_browser.getLink("Read all announcements").click()
>>> link = priv_browser.getLink("Make announcement")
@@ -150,7 +194,11 @@ account with sufficient karma (config.launchpad.min_legitimate_karma).
>>> link = priv_browser.getLink("Make announcement")
>>> print(link.text)
Make announcement
+ >>> link.click()
+ >>> print(priv_browser.url)
+ http://launchpad.test/firefox/+announce
+ >>> _ = config.pop("legitimate person")
Following the action link takes you to a form where you can make the
announcement:
_______________________________________________
Mailing list: https://launchpad.net/~launchpad-reviewers
Post to : launchpad-reviewers@lists.launchpad.net
Unsubscribe : https://launchpad.net/~launchpad-reviewers
More help : https://help.launchpad.net/ListHelp
