From 218fe3995cb6aa3adab66b8455806807fd8c048e Mon Sep 17 00:00:00 2001
From: Dan Helfman <dan@luminotes.com>
Date: Wed, 17 Oct 2007 01:47:46 +0000
Subject: [PATCH] Bug fix. Repro: Try making a link to a note that doesn't
 exist yet, then click on the link. Delete the new note. Then go back to the
 first message, and click after the link, so the link's pulldown shows. You'll
 get this error message: "Sorry, you don't have access to do that."

The fix was to look for the cases when the deleted note is either in the trash
or deleted "forever", and then return None for the note value (instead of just
raising an Access_error).
---
 controller/Notebooks.py           | 29 ++++++++++++++++++++++++++++-
 controller/test/Test_notebooks.py | 26 +++++++++++++++++++++-----
 2 files changed, 49 insertions(+), 6 deletions(-)

diff --git a/controller/Notebooks.py b/controller/Notebooks.py
index 435318f..4fd219a 100644
--- a/controller/Notebooks.py
+++ b/controller/Notebooks.py
@@ -115,7 +115,10 @@ class Notebooks( object ):
     if note_id:
       note = self.__database.load( Note, note_id, revision )
       if note and note.notebook_id != notebook_id:
-        raise Access_error()
+        if note.notebook_id == notebook.trash_id:
+          note = None
+        else:
+          raise Access_error()
     else:
       note = None
 
@@ -158,7 +161,19 @@ class Notebooks( object ):
 
     note = self.__database.load( Note, note_id, revision )
 
+    # if the note has no notebook, it has been deleted "forever"
+    if note and note.notebook_id is None:
+      return dict(
+        note = None,
+      )
+
     if note and note.notebook_id != notebook_id:
+      notebook = self.__database.load( Notebook, notebook_id )
+      if notebook and note.notebook_id == notebook.trash_id:
+        return dict(
+          note = None,
+        )
+
       raise Access_error()
 
     return dict(
@@ -268,8 +283,20 @@ class Notebooks( object ):
     note = self.__database.load( Note, note_id )
 
     if note:
+      if note and note.notebook_id is None:
+        return dict(
+          revisions = None,
+        )
+
       if note.notebook_id != notebook_id:
+        notebook = self.__database.load( Notebook, notebook_id )
+        if notebook and note.notebook_id == notebook.trash_id:
+          return dict(
+            revisions = None,
+          )
+
         raise Access_error()
+
       revisions = self.__database.select_many( unicode, note.sql_load_revisions() )
     else:
       revisions = None
diff --git a/controller/test/Test_notebooks.py b/controller/test/Test_notebooks.py
index b99f0d4..f6b68cd 100644
--- a/controller/test/Test_notebooks.py
+++ b/controller/test/Test_notebooks.py
@@ -336,6 +336,22 @@ class Test_notebooks( Test_controller ):
     user = self.database.load( User, self.user.object_id )
     assert user.storage_bytes == 0
 
+  def test_load_note_without_notebook( self ):
+    self.login()
+
+    self.note.notebook_id = None
+    self.database.save( self.note )
+
+    result = self.http_post( "/notebooks/load_note/", dict(
+      notebook_id = self.notebook.object_id,
+      note_id = self.note.object_id,
+    ), session_id = self.session_id )
+
+    note = result[ "note" ]
+    assert note == None
+    user = self.database.load( User, self.user.object_id )
+    assert user.storage_bytes == 0
+
   def test_load_note_by_title( self ):
     self.login()
 
@@ -1010,7 +1026,7 @@ class Test_notebooks( Test_controller ):
       note_id = self.note.object_id,
     ), session_id = self.session_id )
 
-    assert "access" in result.get( "error" )
+    assert result[ "note" ] is None
 
   def test_delete_note_from_trash( self ):
     self.login()
@@ -1041,7 +1057,7 @@ class Test_notebooks( Test_controller ):
       note_id = self.note.object_id,
     ), session_id = self.session_id )
 
-    assert "access" in result.get( "error" )
+    assert result.get( "note" ) is None
 
   def test_delete_note_without_login( self ):
     result = self.http_post( "/notebooks/delete_note/", dict(
@@ -1260,14 +1276,14 @@ class Test_notebooks( Test_controller ):
       note_id = self.note.object_id,
     ), session_id = self.session_id )
 
-    assert "access" in result.get( "error" )
+    assert result[ "note" ] is None
 
     result = self.http_post( "/notebooks/load_note/", dict(
       notebook_id = self.notebook.object_id,
       note_id = self.note2.object_id,
     ), session_id = self.session_id )
 
-    assert "access" in result.get( "error" )
+    assert result[ "note" ] is None
 
   def test_delete_all_notes_from_trash( self ):
     self.login()
@@ -1292,7 +1308,7 @@ class Test_notebooks( Test_controller ):
       note_id = self.note.object_id,
     ), session_id = self.session_id )
 
-    assert "access" in result.get( "error" )
+    assert result.get( "note" ) is None
 
   def test_delete_all_notes_without_login( self ):
     result = self.http_post( "/notebooks/delete_all_notes/", dict(