[Mailman-checkins] [Git][mailman/mailman][master] Prevent moderation of messages held for a different list.

Sun, 07 Feb 2016 19:46:38 -0800 

Barry Warsaw pushed to branch master at mailman / Mailman


Commits:
407adc0e by Barry Warsaw at 2016-02-07T17:47:15-05:00
Prevent moderation of messages held for a different list.

Closes: #161

- - - - -


4 changed files:

- src/mailman/docs/NEWS.rst
- src/mailman/model/requests.py
- src/mailman/model/tests/test_requests.py
- src/mailman/rest/tests/test_moderation.py


Changes:

=====================================
src/mailman/docs/NEWS.rst
=====================================
--- a/src/mailman/docs/NEWS.rst
+++ b/src/mailman/docs/NEWS.rst
@@ -58,6 +58,7 @@ Bugs
    address.  (Closes #185)
  * Fix membership query when multiple users are subscribed to a mailing list.
    Reported by Darrell Kresge.  (Closes: #190)
+ * Prevent moderation of messages held for a different list.  (Closes: #161)
 
 Configuration
 -------------


=====================================
src/mailman/model/requests.py
=====================================
--- a/src/mailman/model/requests.py
+++ b/src/mailman/model/requests.py
@@ -113,7 +113,7 @@ class ListRequests:
     @dbconnection
     def get_request(self, store, request_id, request_type=None):
         result = store.query(_Request).get(request_id)
-        if result is None:
+        if result is None or result.mailing_list != self.mailing_list:
             return None
         if request_type is not None and result.request_type != request_type:
             return None


=====================================
src/mailman/model/tests/test_requests.py
=====================================
--- a/src/mailman/model/tests/test_requests.py
+++ b/src/mailman/model/tests/test_requests.py
@@ -74,3 +74,10 @@ Something else.
         with self.assertRaises(KeyError) as cm:
             self._requests_db.delete_request(801)
         self.assertEqual(cm.exception.args[0], 801)
+
+    def test_only_return_this_lists_requests(self):
+        # Issue #161: get_requests() returns requests that are not specific to
+        # the mailing list in question.
+        request_id = hold_message(self._mlist, self._msg)
+        bee = create_list('b...@example.com')
+        self.assertIsNone(IListRequests(bee).get_request(request_id))


=====================================
src/mailman/rest/tests/test_moderation.py
=====================================
--- a/src/mailman/rest/tests/test_moderation.py
+++ b/src/mailman/rest/tests/test_moderation.py
@@ -126,6 +126,29 @@ Something else.
         self.assertEqual(content['total_size'], 1)
         self.assertEqual(content['entries'][0]['request_id'], held_id)
 
+    def test_cant_get_other_lists_holds(self):
+        # Issue #161: It was possible to moderate a held message for another
+        # list via the REST API.
+        with transaction():
+            held_id = hold_message(self._mlist, self._msg)
+            create_list('b...@example.com')
+        with self.assertRaises(HTTPError) as cm:
+            call_api('http://localhost:9001/3.0/lists/bee.example.com'
+                     '/held/{}'.format(held_id))
+        self.assertEqual(cm.exception.code, 404)
+
+    def test_cant_moderate_other_lists_holds(self):
+        # Issue #161: It was possible to moderate a held message for another
+        # list via the REST API.
+        with transaction():
+            held_id = hold_message(self._mlist, self._msg)
+            create_list('b...@example.com')
+        with self.assertRaises(HTTPError) as cm:
+            call_api('http://localhost:9001/3.0/lists/bee.example.com'
+                     '/held/{}'.format(held_id),
+                     dict(action='discard'))
+        self.assertEqual(cm.exception.code, 404)
+
 
 
 class TestSubscriptionModeration(unittest.TestCase):



View it on GitLab: 
https://gitlab.com/mailman/mailman/commit/407adc0e44c7487e78643c5185c49f1a1bedd7d6

_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org

Reply via email to