Can now create a new note in a read-write-for-only-your-own-notes notebook.
This commit is contained in:
parent
388f2fcb02
commit
384166b4cc
|
@ -98,4 +98,6 @@ class Forums( object ):
|
|||
return result
|
||||
|
||||
# threads() is just an alias for Notebooks.default()
|
||||
threads = Notebooks.default
|
||||
def threads( self, *args, **kwargs ):
|
||||
return self.__notebooks.default( *args, **kwargs )
|
||||
threads.exposed = True
|
||||
|
|
|
@ -748,13 +748,14 @@ class Users( object ):
|
|||
return None
|
||||
|
||||
# if a particular note_id is given, and the notebook is READ_WRITE_FOR_OWN_NOTES, then check
|
||||
# that the user is associated with that note
|
||||
# that the user is associated with that note (if the note exists). this prevents a user
|
||||
# from modifying someone else's note in a READ_WRITE_FOR_OWN_NOTES notebook
|
||||
if note_id and notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES:
|
||||
note = self.__database.load( Note, note_id )
|
||||
if not note:
|
||||
return None
|
||||
|
||||
if user_id != note.user_id or notebook_id != note.notebook_id:
|
||||
if note and (
|
||||
( note.user_id and user_id != note.user_id ) or
|
||||
( note.notebook_id and notebook_id != note.notebook_id )
|
||||
):
|
||||
return None
|
||||
|
||||
return notebook
|
||||
|
|
|
@ -2412,6 +2412,48 @@ class Test_notebooks( Test_controller ):
|
|||
def test_save_new_startup_note( self ):
|
||||
self.test_save_new_note( startup = True )
|
||||
|
||||
def test_save_new_note_with_notebook_read_write_for_own_notes( self ):
|
||||
self.login()
|
||||
|
||||
self.database.execute( self.user.sql_update_access(
|
||||
self.notebook.object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = True,
|
||||
) )
|
||||
|
||||
# save a completely new note
|
||||
new_note = Note.create( "55", u"<h3>newest title</h3>foo" )
|
||||
previous_revision = new_note.revision
|
||||
result = self.http_post( "/notebooks/save_note/", dict(
|
||||
notebook_id = self.notebook.object_id,
|
||||
note_id = new_note.object_id,
|
||||
contents = new_note.contents,
|
||||
startup = False,
|
||||
previous_revision = None,
|
||||
), session_id = self.session_id )
|
||||
|
||||
assert result[ "new_revision" ]
|
||||
assert result[ "new_revision" ] != previous_revision
|
||||
assert result[ "new_revision" ].user_id == self.user.object_id
|
||||
assert result[ "new_revision" ].username == self.username
|
||||
assert result[ "previous_revision" ] == None
|
||||
user = self.database.load( User, self.user.object_id )
|
||||
assert user.storage_bytes > 0
|
||||
assert result[ "storage_bytes" ] == user.storage_bytes
|
||||
|
||||
# make sure the new title is now loadable
|
||||
result = self.http_post( "/notebooks/load_note_by_title/", dict(
|
||||
notebook_id = self.notebook.object_id,
|
||||
note_title = new_note.title,
|
||||
), session_id = self.session_id )
|
||||
|
||||
note = result[ "note" ]
|
||||
|
||||
assert note.object_id == new_note.object_id
|
||||
assert note.title == new_note.title
|
||||
assert note.contents == new_note.contents
|
||||
assert note.startup == True # startup is forced to True in READ_WRITE_FOR_OWN_NOTES notebook
|
||||
assert note.user_id == self.user.object_id
|
||||
assert note.rank == 0
|
||||
|
||||
def test_save_new_note_with_disallowed_tags( self ):
|
||||
self.login()
|
||||
|
||||
|
|
|
@ -974,7 +974,24 @@ class Test_users( Test_controller ):
|
|||
notebook = cherrypy.root.users.load_notebook( self.user.object_id, self.notebooks[ 0 ].object_id,
|
||||
note_id = u"unknownid" )
|
||||
|
||||
assert notebook is None
|
||||
# an unknown note id indicates that a new note is being created, which is allowed in a
|
||||
# READ_WRITE_FOR_OWN_NOTES notebooks
|
||||
assert notebook
|
||||
assert notebook.object_id == self.notebooks[ 0 ].object_id
|
||||
|
||||
def test_load_notebook_with_stub_note( self ):
|
||||
# don't fully create a note, but reserve an id for it
|
||||
note_id = self.database.next_id( Note )
|
||||
|
||||
self.database.execute( self.user.sql_update_access(
|
||||
self.notebooks[ 0 ].object_id, read_write = Notebook.READ_WRITE_FOR_OWN_NOTES, owner = False,
|
||||
) )
|
||||
|
||||
notebook = cherrypy.root.users.load_notebook( self.user.object_id, self.notebooks[ 0 ].object_id,
|
||||
note_id = note_id )
|
||||
|
||||
assert notebook
|
||||
assert notebook.object_id == self.notebooks[ 0 ].object_id
|
||||
|
||||
def test_load_notebook_with_note_id_in_another_notebook( self ):
|
||||
self.database.execute( self.user.sql_update_access(
|
||||
|
|
Reference in New Issue