Improve private tracker access case
This fixes a bug with the ticket query, and also returns 401 for private trackers where the user does not have any access permissions.
This commit is contained in:
parent
4ff9d6d2af
commit
49b48dd98e
|
@ -1,6 +1,7 @@
|
|||
from flask import abort
|
||||
from srht.oauth import current_user
|
||||
from todosrht.types import User, Tracker, Ticket, Visibility
|
||||
from todosrht.types import TicketAccess, UserAccess, Participant
|
||||
from todosrht.types import User, Tracker, Ticket, Visibility
|
||||
|
||||
# TODO: get_access for any participant
|
||||
def get_access(tracker, ticket, user=None):
|
||||
|
@ -48,7 +49,10 @@ def get_tracker(owner, name, with_for_update=False, user=None):
|
|||
tracker = tracker.one_or_none()
|
||||
if not tracker:
|
||||
return None, None
|
||||
return tracker, get_access(tracker, None, user=user)
|
||||
access = get_access(tracker, None, user=user)
|
||||
if access == TicketAccess.none and tracker.visibility == Visibility.PRIVATE:
|
||||
abort(401)
|
||||
return tracker, access
|
||||
|
||||
def get_ticket(tracker, ticket_id, user=None):
|
||||
user = user or current_user
|
||||
|
|
|
@ -1,8 +1,12 @@
|
|||
from urllib.parse import quote
|
||||
from flask import Blueprint, render_template, request, url_for, abort, redirect
|
||||
from srht.config import cfg
|
||||
from srht.database import db
|
||||
from srht.flask import paginate_query, session
|
||||
from srht.oauth import current_user, loginrequired
|
||||
from srht.validation import Validation
|
||||
from todosrht.access import get_tracker
|
||||
from todosrht.color import color_from_hex, color_to_hex, get_text_color
|
||||
from todosrht.color import valid_hex_color_code
|
||||
from todosrht.access import get_tracker
|
||||
from todosrht.filters import render_markup
|
||||
from todosrht.search import apply_search
|
||||
from todosrht.tickets import get_last_seen_times
|
||||
|
@ -12,11 +16,7 @@ from todosrht.types import TicketSubscription, Participant
|
|||
from todosrht.types import Tracker, Ticket, TicketAccess
|
||||
from todosrht.urls import tracker_url, ticket_url
|
||||
from todosrht.webhooks import TrackerWebhook, UserWebhook
|
||||
from srht.config import cfg
|
||||
from srht.database import db
|
||||
from srht.flask import paginate_query, session
|
||||
from srht.oauth import current_user, loginrequired
|
||||
from srht.validation import Validation
|
||||
from urllib.parse import quote
|
||||
|
||||
tracker = Blueprint("tracker", __name__)
|
||||
|
||||
|
@ -93,7 +93,7 @@ def return_tracker(tracker, access, **kwargs):
|
|||
.filter(Ticket.tracker_id == tracker.id)
|
||||
.filter(Ticket.submitter_id == Participant.id))
|
||||
else:
|
||||
tickets = Ticket.query.filter("false")
|
||||
tickets = Ticket.query.filter(False)
|
||||
|
||||
try:
|
||||
terms = request.args.get("search")
|
||||
|
|
Loading…
Reference in New Issue