From 49b48dd98e6be1ec69480637a9dd45b6f4973c49 Mon Sep 17 00:00:00 2001
From: Drew DeVault <sir@cmpwn.com>
Date: Wed, 6 Oct 2021 10:25:09 +0200
Subject: [PATCH] Improve private tracker access case

This fixes a bug with the ticket query, and also returns 401 for private
trackers where the user does not have any access permissions.
---
 todosrht/access.py             |  8 ++++++--
 todosrht/blueprints/tracker.py | 16 ++++++++--------
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/todosrht/access.py b/todosrht/access.py
index 75d0375..3d24311 100644
--- a/todosrht/access.py
+++ b/todosrht/access.py
@@ -1,6 +1,7 @@
+from flask import abort
 from srht.oauth import current_user
-from todosrht.types import User, Tracker, Ticket, Visibility
 from todosrht.types import TicketAccess, UserAccess, Participant
+from todosrht.types import User, Tracker, Ticket, Visibility
 
 # TODO: get_access for any participant
 def get_access(tracker, ticket, user=None):
@@ -48,7 +49,10 @@ def get_tracker(owner, name, with_for_update=False, user=None):
     tracker = tracker.one_or_none()
     if not tracker:
         return None, None
-    return tracker, get_access(tracker, None, user=user)
+    access = get_access(tracker, None, user=user)
+    if access == TicketAccess.none and tracker.visibility == Visibility.PRIVATE:
+        abort(401)
+    return tracker, access
 
 def get_ticket(tracker, ticket_id, user=None):
     user = user or current_user
diff --git a/todosrht/blueprints/tracker.py b/todosrht/blueprints/tracker.py
index f5bf87d..1cdc694 100644
--- a/todosrht/blueprints/tracker.py
+++ b/todosrht/blueprints/tracker.py
@@ -1,8 +1,12 @@
-from urllib.parse import quote
 from flask import Blueprint, render_template, request, url_for, abort, redirect
+from srht.config import cfg
+from srht.database import db
+from srht.flask import paginate_query, session
+from srht.oauth import current_user, loginrequired
+from srht.validation import Validation
+from todosrht.access import get_tracker
 from todosrht.color import color_from_hex, color_to_hex, get_text_color
 from todosrht.color import valid_hex_color_code
-from todosrht.access import get_tracker
 from todosrht.filters import render_markup
 from todosrht.search import apply_search
 from todosrht.tickets import get_last_seen_times
@@ -12,11 +16,7 @@ from todosrht.types import TicketSubscription, Participant
 from todosrht.types import Tracker, Ticket, TicketAccess
 from todosrht.urls import tracker_url, ticket_url
 from todosrht.webhooks import TrackerWebhook, UserWebhook
-from srht.config import cfg
-from srht.database import db
-from srht.flask import paginate_query, session
-from srht.oauth import current_user, loginrequired
-from srht.validation import Validation
+from urllib.parse import quote
 
 tracker = Blueprint("tracker", __name__)
 
@@ -93,7 +93,7 @@ def return_tracker(tracker, access, **kwargs):
                 .filter(Ticket.tracker_id == tracker.id)
                 .filter(Ticket.submitter_id == Participant.id))
     else:
-        tickets = Ticket.query.filter("false")
+        tickets = Ticket.query.filter(False)
 
     try:
         terms = request.args.get("search")