Disabled access to several controller methods for READ_WRITE_FOR_OWN_NOTES notebooks.
Also fixed some unit tests. Many other unit tests are forthcoming.
This commit is contained in:
parent
9aac28bbb5
commit
681e11e9a7
|
@ -18,6 +18,7 @@ from Users import grab_user_id, Access_error
|
|||
from Expire import strongly_expire
|
||||
from model.File import File
|
||||
from model.User import User
|
||||
from model.Notebook import Notebook
|
||||
from model.Download_access import Download_access
|
||||
from view.Upload_page import Upload_page
|
||||
from view.Blank_page import Blank_page
|
||||
|
@ -531,7 +532,9 @@ class Files( object ):
|
|||
@return: rendered HTML page
|
||||
@raise Access_error: the current user doesn't have access to the given notebook
|
||||
"""
|
||||
if not self.__users.load_notebook( user_id, notebook_id, read_write = True, note_id = note_id ):
|
||||
notebook = self.__users.load_notebook( user_id, notebook_id, read_write = True, note_id = note_id )
|
||||
|
||||
if not notebook or notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES:
|
||||
raise Access_error()
|
||||
|
||||
file_id = self.__database.next_id( File )
|
||||
|
@ -565,7 +568,9 @@ class Files( object ):
|
|||
@return: rendered HTML page
|
||||
@raise Access_error: the current user doesn't have access to the given notebook
|
||||
"""
|
||||
if not self.__users.load_notebook( user_id, notebook_id, read_write = True ):
|
||||
notebook = self.__users.load_notebook( user_id, notebook_id, read_write = True )
|
||||
|
||||
if not notebook or notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES:
|
||||
raise Access_error()
|
||||
|
||||
file_id = self.__database.next_id( File )
|
||||
|
@ -622,7 +627,9 @@ class Files( object ):
|
|||
current_uploads_lock.release()
|
||||
|
||||
user = self.__database.load( User, user_id )
|
||||
if not user or not self.__users.load_notebook( user_id, notebook_id, read_write = True ):
|
||||
notebook = self.__users.load_notebook( user_id, notebook_id, read_write = True )
|
||||
|
||||
if not user or not notebook or notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES:
|
||||
uploaded_file.delete()
|
||||
return dict( script = general_error_script % u"Sorry, you don't have access to do that. Please make sure you're logged in as the correct user." )
|
||||
|
||||
|
@ -738,8 +745,11 @@ class Files( object ):
|
|||
@raise Access_error: the current user doesn't have access to the notebook that the file is in
|
||||
"""
|
||||
db_file = self.__database.load( File, file_id )
|
||||
if db_file is None:
|
||||
raise Access_error()
|
||||
|
||||
if not db_file or not self.__users.load_notebook( user_id, db_file.notebook_id ):
|
||||
db_notebook = self.__users.load_notebook( user_id, db_file.notebook_id )
|
||||
if db_notebook is None or db_notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES:
|
||||
raise Access_error()
|
||||
|
||||
user = self.__database.load( User, user_id )
|
||||
|
@ -777,8 +787,11 @@ class Files( object ):
|
|||
@raise Access_error: the current user doesn't have access to the notebook that the file is in
|
||||
"""
|
||||
db_file = self.__database.load( File, file_id )
|
||||
if db_file is None:
|
||||
raise Access_error()
|
||||
|
||||
if not db_file or not self.__users.load_notebook( user_id, db_file.notebook_id, read_write = True ):
|
||||
db_notebook = self.__users.load_notebook( user_id, db_file.notebook_id, read_write = True )
|
||||
if db_notebook is None or db_notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES:
|
||||
raise Access_error()
|
||||
|
||||
self.__database.execute( db_file.sql_delete(), commit = False )
|
||||
|
@ -816,8 +829,11 @@ class Files( object ):
|
|||
@raise Access_error: the current user doesn't have access to the notebook that the file is in
|
||||
"""
|
||||
db_file = self.__database.load( File, file_id )
|
||||
if db_file is None:
|
||||
raise Access_error()
|
||||
|
||||
if not db_file or not self.__users.load_notebook( user_id, db_file.notebook_id, read_write = True ):
|
||||
db_notebook = self.__users.load_notebook( user_id, db_file.notebook_id, read_write = True )
|
||||
if db_notebook is None or db_notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES:
|
||||
raise Access_error()
|
||||
|
||||
db_file.filename = filename
|
||||
|
@ -918,8 +934,11 @@ class Files( object ):
|
|||
MAX_ROW_ELEMENT_COUNT = 20
|
||||
|
||||
db_file = self.__database.load( File, file_id )
|
||||
if db_file is None:
|
||||
raise Access_error()
|
||||
|
||||
if not db_file or not self.__users.load_notebook( user_id, db_file.notebook_id ):
|
||||
db_notebook = self.__users.load_notebook( user_id, db_file.notebook_id )
|
||||
if db_notebook is None or db_notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES:
|
||||
raise Access_error()
|
||||
|
||||
parser = self.parse_csv( file_id )
|
||||
|
|
|
@ -781,7 +781,7 @@ class Notebooks( object ):
|
|||
new_revision = new_revision,
|
||||
previous_revision = previous_revision,
|
||||
storage_bytes = user and user.storage_bytes or 0,
|
||||
rank = float( note.rank ),
|
||||
rank = note.rank and float( note.rank ) or None,
|
||||
)
|
||||
|
||||
@expose( view = Json )
|
||||
|
@ -1350,7 +1350,8 @@ class Notebooks( object ):
|
|||
# special case to allow the creator of a READ_WRITE_FOR_OWN_NOTES notebook to rename it
|
||||
if notebook is None:
|
||||
notebook = self.__users.load_notebook( user_id, notebook_id, read_write = True )
|
||||
if not ( notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES and notebook.user_id == user_id ):
|
||||
if not notebook or not ( notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES and
|
||||
notebook.user_id == user_id ):
|
||||
raise Access_error()
|
||||
|
||||
user = self.__database.load( User, user_id )
|
||||
|
@ -1812,7 +1813,11 @@ class Notebooks( object ):
|
|||
raise Access_error()
|
||||
|
||||
db_file = self.__database.load( File, file_id )
|
||||
if db_file is None or not self.__users.load_notebook( user_id, db_file.notebook_id ):
|
||||
if db_file is None:
|
||||
raise Access_error()
|
||||
|
||||
db_notebook = self.__users.load_notebook( user_id, db_file.notebook_id )
|
||||
if db_notebook is None or db_notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES:
|
||||
raise Access_error()
|
||||
|
||||
# if the file has a "note_id" header column, record its index
|
||||
|
|
|
@ -1912,7 +1912,7 @@ class Test_notebooks( Test_controller ):
|
|||
|
||||
# save over an existing note supplying new (too long) contents and a new title
|
||||
previous_revision = self.note.revision
|
||||
new_note_contents = u"<h3>new title</h3>new blah" * 1923
|
||||
new_note_contents = u"<h3>new title</h3>new blah" * 1924
|
||||
result = self.http_post( "/notebooks/save_note/", dict(
|
||||
notebook_id = self.notebook.object_id,
|
||||
note_id = self.note.object_id,
|
||||
|
@ -5385,7 +5385,7 @@ class Test_notebooks( Test_controller ):
|
|||
csv_data = '"label 1","label 2","label 3"\n5,"blah and stuff","3.<b>3 </b>"\n"8","whee","hmm\n<a href=""http://luminotes.com/"">foo</a>"\n3,4,5'
|
||||
expected_notes = [
|
||||
( "blah and stuff", "3.<b>3 </b>" ), # ( title, contents )
|
||||
( "whee", 'hmm\n<a href="http://luminotes.com/" target="_new">foo</a>' ),
|
||||
( "whee", 'hmm\n<a href="http://luminotes.com/" target="_new" rel="nofollow">foo</a>' ),
|
||||
( "4", "5" ),
|
||||
]
|
||||
|
||||
|
@ -5417,7 +5417,7 @@ class Test_notebooks( Test_controller ):
|
|||
csv_data = '"label 1","label 2","label 3"\n5,"blah and stuff","3.<b>3 </b>"\n"8","whee","hmm\n<a href=""http://luminotes.com/"" target=""something"">foo</a>"\n3,4,5'
|
||||
expected_notes = [
|
||||
( "blah and stuff", "3.<b>3 </b>" ), # ( title, contents )
|
||||
( "whee", 'hmm\n<a href="http://luminotes.com/" target="something">foo</a>' ),
|
||||
( "whee", 'hmm\n<a href="http://luminotes.com/" target="something" rel="nofollow">foo</a>' ),
|
||||
( "4", "5" ),
|
||||
]
|
||||
|
||||
|
|
Reference in New Issue