diff --git a/NEWS b/NEWS index 2cefe73..02c3f43 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,8 @@ character) titles from saving correctly. * Changed the literal quotation character in the starting wiki note to the """ character entity so it doesn't show up as a change in the diff. + * Fixed a bug where attempting to load a notebook preview without access + would give a "list index out of range" error instead of an access error. 1.3.13: May 5, 2008 * Instructions for enabling JavaScript, linked from various forms that diff --git a/controller/Notebooks.py b/controller/Notebooks.py index 9f6eb50..80f5b1d 100644 --- a/controller/Notebooks.py +++ b/controller/Notebooks.py @@ -105,6 +105,8 @@ class Notebooks( object ): result[ u"notebooks" ] = [ notebook for notebook in result[ "notebooks" ] if notebook.object_id == notebook_id ] + if len( result[ u"notebooks" ] ) == 0: + raise Access_error() result[ u"notebooks" ][ 0 ].owner = False elif preview == u"viewer": read_write = False @@ -112,6 +114,8 @@ class Notebooks( object ): result[ u"notebooks" ] = [ notebook for notebook in result[ "notebooks" ] if notebook.object_id == notebook_id ] + if len( result[ u"notebooks" ] ) == 0: + raise Access_error() result[ u"notebooks" ][ 0 ].read_write = False result[ u"notebooks" ][ 0 ].owner = False elif preview in ( u"owner", u"default", None ): diff --git a/controller/test/Test_notebooks.py b/controller/test/Test_notebooks.py index 1b5c6fe..b927c9a 100644 --- a/controller/test/Test_notebooks.py +++ b/controller/test/Test_notebooks.py @@ -345,6 +345,64 @@ class Test_notebooks( Test_controller ): user = self.database.load( User, self.user.object_id ) assert user.storage_bytes == 0 + def test_default_as_preview_viewer_without_login( self ): + path = "/notebooks/%s?preview=viewer" % self.notebook.object_id + result = self.http_get( path ) + + headers = result.get( "headers" ) + assert headers + assert headers.get( "Location" ) == u"http:///login?after_login=%s" % urllib.quote( path ) + + def test_default_as_preview_collaborator_without_login( self ): + path = "/notebooks/%s?preview=collaborator" % self.notebook.object_id + result = self.http_get( path ) + + headers = result.get( "headers" ) + assert headers + assert headers.get( "Location" ) == u"http:///login?after_login=%s" % urllib.quote( path ) + + def test_default_as_preview_owner_without_login( self ): + path = "/notebooks/%s?preview=owner" % self.notebook.object_id + result = self.http_get( path ) + + print result + headers = result.get( "headers" ) + assert headers + assert headers.get( "Location" ) == u"http:///login?after_login=%s" % urllib.quote( path ) + + def test_default_as_preview_viewer_without_access( self ): + self.make_extra_notebooks() + self.login2() + + result = self.http_get( + "/notebooks/%s?preview=viewer" % self.notebook2.object_id, + session_id = self.session_id, + ) + + assert u"access" in result.get( u"error" ) + + def test_default_as_preview_collaborator_without_access( self ): + self.make_extra_notebooks() + self.login2() + + result = self.http_get( + "/notebooks/%s?preview=collaborator" % self.notebook2.object_id, + session_id = self.session_id, + ) + + assert u"access" in result.get( u"error" ) + + def test_default_as_preview_owner_without_access( self ): + self.make_extra_notebooks() + self.login2() + + result = self.http_get( + "/notebooks/%s?preview=owner" % self.notebook2.object_id, + session_id = self.session_id, + ) + + assert u"access" in result.get( u"error" ) + def test_default_with_note( self ): self.login()