Improve private tracker access case

This fixes a bug with the ticket query, and also returns 401 for private trackers where the user does not have any access permissions.
2021-10-06 10:25:09 +02:00 · 2021-10-06 10:25:09 +02:00 · 49b48dd98e
parent 4ff9d6d2af
commit 49b48dd98e
2 changed files with 14 additions and 10 deletions
--- a/todosrht/access.py
+++ b/todosrht/access.py
@ -1,6 +1,7 @@
+from flask import abort
 from srht.oauth import current_user
-from todosrht.types import User, Tracker, Ticket, Visibility
 from todosrht.types import TicketAccess, UserAccess, Participant
+from todosrht.types import User, Tracker, Ticket, Visibility

 # TODO: get_access for any participant
 def get_access(tracker, ticket, user=None):
@ -48,7 +49,10 @@ def get_tracker(owner, name, with_for_update=False, user=None):
    tracker = tracker.one_or_none()
    if not tracker:
        return None, None
-    return tracker, get_access(tracker, None, user=user)
+    access = get_access(tracker, None, user=user)
+    if access == TicketAccess.none and tracker.visibility == Visibility.PRIVATE:
+        abort(401)
+    return tracker, access

 def get_ticket(tracker, ticket_id, user=None):
    user = user or current_user
--- a/todosrht/blueprints/tracker.py
+++ b/todosrht/blueprints/tracker.py
@ -1,8 +1,12 @@
-from urllib.parse import quote
 from flask import Blueprint, render_template, request, url_for, abort, redirect
+from srht.config import cfg
+from srht.database import db
+from srht.flask import paginate_query, session
+from srht.oauth import current_user, loginrequired
+from srht.validation import Validation
+from todosrht.access import get_tracker
 from todosrht.color import color_from_hex, color_to_hex, get_text_color
 from todosrht.color import valid_hex_color_code
-from todosrht.access import get_tracker
 from todosrht.filters import render_markup
 from todosrht.search import apply_search
 from todosrht.tickets import get_last_seen_times
@ -12,11 +16,7 @@ from todosrht.types import TicketSubscription, Participant
 from todosrht.types import Tracker, Ticket, TicketAccess
 from todosrht.urls import tracker_url, ticket_url
 from todosrht.webhooks import TrackerWebhook, UserWebhook
-from srht.config import cfg
-from srht.database import db
-from srht.flask import paginate_query, session
-from srht.oauth import current_user, loginrequired
-from srht.validation import Validation
+from urllib.parse import quote

 tracker = Blueprint("tracker", __name__)

@ -93,7 +93,7 @@ def return_tracker(tracker, access, **kwargs):
                .filter(Ticket.tracker_id == tracker.id)
                .filter(Ticket.submitter_id == Participant.id))
    else:
-        tickets = Ticket.query.filter("false")
+        tickets = Ticket.query.filter(False)

    try:
        terms = request.args.get("search")