witten
/
luminotes
Archived
1
0
Fork 0
Code Releases Activity

Disabled access to several controller methods for READ_WRITE_FOR_OWN_NOTES notebooks. 

Also fixed some unit tests. Many other unit tests are forthcoming.
This commit is contained in:
Dan Helfman 2008-10-31 16:59:36 -07:00
parent 9aac28bbb5
commit 681e11e9a7
3 changed files with 37 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
controller/Files.py
View File

@ -18,6 +18,7 @@ from Users import grab_user_id, Access_error
from Expire import strongly_expire
from model.File import File
from model.User import User
from model.Notebook import Notebook
from model.Download_access import Download_access
from view.Upload_page import Upload_page
from view.Blank_page import Blank_page
@ -531,7 +532,9 @@ class Files( object ):
@return: rendered HTML page
@raise Access_error: the current user doesn't have access to the given notebook
"""
if not self.__users.load_notebook( user_id, notebook_id, read_write = True, note_id = note_id ):
notebook = self.__users.load_notebook( user_id, notebook_id, read_write = True, note_id = note_id )
if not notebook or notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES:
raise Access_error()
file_id = self.__database.next_id( File )
@ -565,7 +568,9 @@ class Files( object ):
@return: rendered HTML page
@raise Access_error: the current user doesn't have access to the given notebook
"""
if not self.__users.load_notebook( user_id, notebook_id, read_write = True ):
notebook = self.__users.load_notebook( user_id, notebook_id, read_write = True )
if not notebook or notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES:
raise Access_error()
file_id = self.__database.next_id( File )
@ -622,7 +627,9 @@ class Files( object ):
current_uploads_lock.release()
user = self.__database.load( User, user_id )
if not user or not self.__users.load_notebook( user_id, notebook_id, read_write = True ):
notebook = self.__users.load_notebook( user_id, notebook_id, read_write = True )
if not user or not notebook or notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES:
uploaded_file.delete()
return dict( script = general_error_script % u"Sorry, you don't have access to do that. Please make sure you're logged in as the correct user." )
@ -738,8 +745,11 @@ class Files( object ):
@raise Access_error: the current user doesn't have access to the notebook that the file is in
"""
db_file = self.__database.load( File, file_id )
if db_file is None:
raise Access_error()
if not db_file or not self.__users.load_notebook( user_id, db_file.notebook_id ):
db_notebook = self.__users.load_notebook( user_id, db_file.notebook_id )
if db_notebook is None or db_notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES:
raise Access_error()
user = self.__database.load( User, user_id )
@ -777,8 +787,11 @@ class Files( object ):
@raise Access_error: the current user doesn't have access to the notebook that the file is in
"""
db_file = self.__database.load( File, file_id )
if db_file is None:
raise Access_error()
if not db_file or not self.__users.load_notebook( user_id, db_file.notebook_id, read_write = True ):
db_notebook = self.__users.load_notebook( user_id, db_file.notebook_id, read_write = True )
if db_notebook is None or db_notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES:
raise Access_error()
self.__database.execute( db_file.sql_delete(), commit = False )
@ -816,8 +829,11 @@ class Files( object ):
@raise Access_error: the current user doesn't have access to the notebook that the file is in
"""
db_file = self.__database.load( File, file_id )
if db_file is None:
raise Access_error()
if not db_file or not self.__users.load_notebook( user_id, db_file.notebook_id, read_write = True ):
db_notebook = self.__users.load_notebook( user_id, db_file.notebook_id, read_write = True )
if db_notebook is None or db_notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES:
raise Access_error()
db_file.filename = filename
@ -918,8 +934,11 @@ class Files( object ):
MAX_ROW_ELEMENT_COUNT = 20
db_file = self.__database.load( File, file_id )
if db_file is None:
raise Access_error()
if not db_file or not self.__users.load_notebook( user_id, db_file.notebook_id ):
db_notebook = self.__users.load_notebook( user_id, db_file.notebook_id )
if db_notebook is None or db_notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES:
raise Access_error()
parser = self.parse_csv( file_id )

11
controller/Notebooks.py
View File

@ -781,7 +781,7 @@ class Notebooks( object ):
new_revision = new_revision,
previous_revision = previous_revision,
storage_bytes = user and user.storage_bytes or 0,
rank = float( note.rank ),
rank = note.rank and float( note.rank ) or None,
)
@expose( view = Json )
@ -1350,7 +1350,8 @@ class Notebooks( object ):
# special case to allow the creator of a READ_WRITE_FOR_OWN_NOTES notebook to rename it
if notebook is None:
notebook = self.__users.load_notebook( user_id, notebook_id, read_write = True )
if not ( notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES and notebook.user_id == user_id ):
if not notebook or not ( notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES and
notebook.user_id == user_id ):
raise Access_error()
user = self.__database.load( User, user_id )
@ -1812,7 +1813,11 @@ class Notebooks( object ):
raise Access_error()
db_file = self.__database.load( File, file_id )
if db_file is None or not self.__users.load_notebook( user_id, db_file.notebook_id ):
if db_file is None:
raise Access_error()
db_notebook = self.__users.load_notebook( user_id, db_file.notebook_id )
if db_notebook is None or db_notebook.read_write == Notebook.READ_WRITE_FOR_OWN_NOTES:
raise Access_error()
# if the file has a "note_id" header column, record its index

6
controller/test/Test_notebooks.py
View File

@ -1912,7 +1912,7 @@ class Test_notebooks( Test_controller ):
# save over an existing note supplying new (too long) contents and a new title
previous_revision = self.note.revision
new_note_contents = u"<h3>new title</h3>new blah" * 1923
new_note_contents = u"<h3>new title</h3>new blah" * 1924
result = self.http_post( "/notebooks/save_note/", dict(
notebook_id = self.notebook.object_id,
note_id = self.note.object_id,
@ -5385,7 +5385,7 @@ class Test_notebooks( Test_controller ):
csv_data = '"label 1","label 2","label 3"\n5,"blah and stuff","3.<b>3 &nbsp;</b>"\n"8","whee","hmm\n<a href=""http://luminotes.com/"">foo</a>"\n3,4,5'
expected_notes = [
( "blah and stuff", "3.<b>3 &nbsp;</b>" ), # ( title, contents )
( "whee", 'hmm\n<a href="http://luminotes.com/" target="_new">foo</a>' ),
( "whee", 'hmm\n<a href="http://luminotes.com/" target="_new" rel="nofollow">foo</a>' ),
( "4", "5" ),
]
@ -5417,7 +5417,7 @@ class Test_notebooks( Test_controller ):
csv_data = '"label 1","label 2","label 3"\n5,"blah and stuff","3.<b>3 &nbsp;</b>"\n"8","whee","hmm\n<a href=""http://luminotes.com/"" target=""something"">foo</a>"\n3,4,5'
expected_notes = [
( "blah and stuff", "3.<b>3 &nbsp;</b>" ), # ( title, contents )
( "whee", 'hmm\n<a href="http://luminotes.com/" target="something">foo</a>' ),
( "whee", 'hmm\n<a href="http://luminotes.com/" target="something" rel="nofollow">foo</a>' ),
( "4", "5" ),
]