matthias/mayan-edms
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Don't error out link resolution if user doesn't has permission for the object argument. This issue manifests during the forcefull check in attempt of issue GL #237. Solved and test added.

Browse Source
This commit is contained in:
Roberto Rosario
2015-10-26 02:15:53 -04:00
parent 31846a739d
commit f4a461e5a5
3 changed files with 87 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
mayan/apps/checkouts/links.py
View File

@@ -11,11 +11,19 @@ from .permissions import (
def is_checked_out(context):
return context['object'].is_checked_out()
try:
return context['object'].is_checked_out()
except KeyError:
# Might not have permissions
return False
def is_not_checked_out(context):
return not context['object'].is_checked_out()
try:
return not context['object'].is_checked_out()
except KeyError:
# Might not have permissions
return True
link_checkout_list = Link(

72
mayan/apps/checkouts/tests/test_views.py
View File

@@ -23,7 +23,8 @@ from user_management.tests import (
from ..models import DocumentCheckout
from ..permissions import (
permission_document_checkin, permission_document_checkout
permission_document_checkin, permission_document_checkin_override,
permission_document_checkout
)
@@ -163,3 +164,72 @@ class DocumentCheckoutViewTestCase(GenericDocumentViewTestCase):
resolved_link = link_upload_version.resolve(context=response.context)
self.assertEqual(resolved_link, None)
def test_forcefull_check_in_document_view_no_permission(self):
# Gitlab issue #237
# Forcefully checking in a document by a user without adequate
# permissions throws out an error
expiration_datetime = now() + datetime.timedelta(days=1)
DocumentCheckout.objects.checkout_document(
document=self.document, expiration_datetime=expiration_datetime,
user=self.admin_user, block_new_version=True
)
self.assertTrue(self.document.is_checked_out())
self.login(
username=TEST_USER_USERNAME, password=TEST_USER_PASSWORD
)
self.role.permissions.add(
permission_document_checkin.stored_permission
)
self.role.permissions.add(
permission_document_checkout.stored_permission
)
response = self.post(
'checkouts:checkin_document', args=(self.document.pk,), follow=True
)
self.assertContains(
response, text='Insufficient permissions', status_code=403
)
self.assertTrue(self.document.is_checked_out())
def test_forcefull_check_in_document_view_with_permission(self):
expiration_datetime = now() + datetime.timedelta(days=1)
DocumentCheckout.objects.checkout_document(
document=self.document, expiration_datetime=expiration_datetime,
user=self.admin_user, block_new_version=True
)
self.assertTrue(self.document.is_checked_out())
self.login(
username=TEST_USER_USERNAME, password=TEST_USER_PASSWORD
)
self.role.permissions.add(
permission_document_checkin.stored_permission
)
self.role.permissions.add(
permission_document_checkin.stored_permission
)
self.role.permissions.add(
permission_document_checkin_override.stored_permission
)
response = self.post(
'checkouts:checkin_document', args=(self.document.pk,), follow=True
)
self.assertContains(
response, text='hecked in successfully', status_code=200
)
self.assertFalse(self.document.is_checked_out())

7
mayan/apps/navigation/classes.py
View File

@@ -285,7 +285,12 @@ class Link(object):
view_name=view_name, args=args, kwargs=kwargs, asvar=None
)
resolved_link.url = node.render(context)
try:
resolved_link.url = node.render(context)
except Exception as exception:
logger.error(
'Error resolving link "%s" URL; %s', self.text, exception
)
# This is for links that should be displayed but that are not clickable
if self.conditional_disable: