altf4arnold/datatracker
1
0
Fork 0
Code Issues Pull requests Actions 3 Packages Projects Releases Wiki Activity

Restrict editor access in all states but proposed.

Browse source 
- Legacy-Id: 19205
This commit is contained in:
Robert Sparks 2021-07-08 19:16:58 +00:00
parent 040e26be06
commit dcd372a928
6 changed files with 55 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
ietf/doc/tests_bofreq.py
View file

@ -80,7 +80,7 @@ This test section has some text.
self.write_bofreq_file(doc)
editors = bofreq_editors(doc)
responsible = bofreq_responsible(doc)
url = urlreverse('ietf.doc.views_doc.document_main', kwargs=dict(name=doc))
url = urlreverse('ietf.doc.views_doc.document_main', kwargs=dict(name=doc.name))
r = self.client.get(url)
self.assertContains(r,'Version: 01',status_code=200)
q = PyQuery(r.content)
@ -365,4 +365,31 @@ This test section has some text.
self.assertEqual(r.status_code, 200)
q = PyQuery(r.content)
self.assertTrue(q('form div.has-error'))
def test_post_proposed_restrictions(self):
states = State.objects.filter(type_id='bofreq').exclude(slug='proposed')
bofreq = BofreqFactory()
editor = bofreq_editors(bofreq).first()
for view in ('submit', 'change_editors', 'edit_title'):
url = urlreverse(f'ietf.doc.views_bofreq.{view}', kwargs=dict(name=bofreq.name))
for state in states:
bofreq.set_state(state)
for username in ('secretary', 'ad', 'iab-member'):
self.client.login(username=username, password=username+'+password')
r = self.client.get(url)
self.assertEqual(r.status_code,200)
self.client.logout()
self.client.login(username=editor.user.username, password=editor.user.username+'+password')
r = self.client.get(url)
self.assertEqual(r.status_code, 403, f'editor should not be able to use {view} in state {state.slug}')
self.client.logout()
url = urlreverse('ietf.doc.views_doc.document_main', kwargs=dict(name=bofreq.name))
self.client.login(username=editor.user.username, password=editor.user.username+'+password')
r = self.client.get(url)
self.assertEqual(r.status_code,200)
q = PyQuery(r.content)
self.assertEqual(0, len(q('td.edit>a.btn')))
self.assertEqual([],q('#change-request'))

5
ietf/doc/utils.py
View file

@ -29,7 +29,7 @@ from ietf.doc.models import DocEvent, ConsensusDocEvent, BallotDocEvent, IRSGBal
from ietf.doc.models import TelechatDocEvent, DocumentActionHolder, EditedAuthorsDocEvent
from ietf.name.models import DocReminderTypeName, DocRelationshipName
from ietf.group.models import Role, Group
from ietf.ietfauth.utils import has_role, is_authorized_in_doc_stream, is_individual_draft_author
from ietf.ietfauth.utils import has_role, is_authorized_in_doc_stream, is_individual_draft_author, is_bofreq_editor
from ietf.person.models import Person
from ietf.review.models import ReviewWish
from ietf.utils import draft, text
@ -152,7 +152,8 @@ def can_unadopt_draft(user, doc):
def can_edit_docextresources(user, doc):
return (has_role(user, ("Secretariat", "Area Director"))
or is_authorized_in_doc_stream(user, doc)
or is_individual_draft_author(user, doc))
or is_individual_draft_author(user, doc)
or is_bofreq_editor(user, doc))
def two_thirds_rule( recused=0 ):
# For standards-track, need positions from 2/3 of the non-recused current IESG.

9
ietf/doc/views_bofreq.py
View file

@ -76,7 +76,8 @@ class BofreqUploadForm(forms.Form):
def submit(request, name):
bofreq = get_object_or_404(Document, type="bofreq", name=name)
previous_editors = bofreq_editors(bofreq)
if not (has_role(request.user,('Secretariat', 'Area Director', 'IAB')) or request.user.person in previous_editors):
state_id = bofreq.get_state_slug('bofreq')
if not (has_role(request.user,('Secretariat', 'Area Director', 'IAB')) or (state_id=='proposed' and request.user.person in previous_editors)):
permission_denied(request,"You do not have permission to upload a new revision of this BOF Request")
if request.method == 'POST':
@ -189,7 +190,8 @@ class ChangeEditorsForm(forms.Form):
def change_editors(request, name):
bofreq = get_object_or_404(Document, type="bofreq", name=name)
previous_editors = bofreq_editors(bofreq)
if not (has_role(request.user,('Secretariat', 'Area Director', 'IAB')) or request.user.person in previous_editors):
state_id = bofreq.get_state_slug('bofreq')
if not (has_role(request.user,('Secretariat', 'Area Director', 'IAB')) or (state_id=='proposed' and request.user.person in previous_editors)):
permission_denied(request,"You do not have permission to change this document's editors")
if request.method == 'POST':
@ -267,7 +269,8 @@ class ChangeTitleForm(forms.Form):
def edit_title(request, name):
bofreq = get_object_or_404(Document, type="bofreq", name=name)
editors = bofreq_editors(bofreq)
if not (has_role(request.user,('Secretariat', 'Area Director', 'IAB')) or request.user.person in editors):
state_id = bofreq.get_state_slug('bofreq')
if not (has_role(request.user,('Secretariat', 'Area Director', 'IAB')) or (state_id=='proposed' and request.user.person in editors)):
permission_denied(request, "You do not have permission to edit this document's title")
if request.method == 'POST':

4
ietf/doc/views_doc.py
View file

@ -533,7 +533,7 @@ def document_main(request, name, rev=None):
editors = bofreq_editors(doc)
responsible = bofreq_responsible(doc)
can_manage = has_role(request.user,['Secretariat', 'Area Director', 'IAB'])
is_editor = request.user.is_authenticated and request.user.person in editors
editor_can_manage = doc.get_state_slug('bofreq')=='proposed' and request.user.is_authenticated and request.user.person in editors
return render(request, "doc/document_bofreq.html",
dict(doc=doc,
@ -545,7 +545,7 @@ def document_main(request, name, rev=None):
can_manage=can_manage,
editors=editors,
responsible=responsible,
is_editor=is_editor,
editor_can_manage=editor_can_manage,
))
if doc.type_id == "conflrev":

11
ietf/ietfauth/utils.py
View file

@ -25,6 +25,7 @@ import debug # pyflakes:ignore
from ietf.group.models import Role, GroupFeatures
from ietf.person.models import Person
from ietf.doc.utils_bofreq import bofreq_editors
def user_is_person(user, person):
"""Test whether user is associated with person."""
@ -194,6 +195,9 @@ def is_individual_draft_author(user, doc):
if not user.is_authenticated:
return False
if not doc.type_id=='draft':
return False
if not doc.group.type_id == "individ" :
return False
@ -204,6 +208,13 @@ def is_individual_draft_author(user, doc):
return True
return False
def is_bofreq_editor(user, doc):
if not user.is_authenticated:
return False
if not doc.type_id=='bofreq':
return False
return user.person in bofreq_editors(doc)
def openid_userinfo(claims, user):
# Populate claims dict.

10
ietf/templates/doc/document_bofreq.html
View file

@ -50,7 +50,7 @@
<th>Title</th>
<td class="edit">
{% if not snapshot %}
{% if is_editor or can_manage %}
{% if editor_can_manage or can_manage %}
{% doc_edit_button 'ietf.doc.views_bofreq.edit_title' name=doc.name %}
{% endif %}
{% endif %}
@ -87,7 +87,7 @@
<th>Editor{{editors|pluralize}}</th>
<td class="edit">
{% if not snapshot %}
{% if is_editor or can_manage %}
{% if editor_can_manage or can_manage %}
{% doc_edit_button 'ietf.doc.views_bofreq.change_editors' name=doc.name %}
{% endif %}
{% endif %}
@ -117,12 +117,12 @@
</tr>
{% with doc.docextresource_set.all as resources %}
{% if resources or is_editor or can_manage %}
{% if resources or editor_can_manage or can_manage %}
<tr>
<td></td>
<th>Additional Resources</th>
<td class="edit">
{% if is_editor or can_manage %}
{% if editor_can_manage or can_manage %}
<a class="btn btn-default btn-xs" href="{% url 'ietf.doc.views_draft.edit_doc_extresources' name=doc.name %}">Edit</a>
{% endif %}
</td>
@ -165,7 +165,7 @@
</table>
{% if not snapshot %}
{% if is_editor or can_manage %}
{% if editor_can_manage or can_manage %}
<p id="change-request"><a class="btn btn-default" href="{% url 'ietf.doc.views_bofreq.submit' name=doc.name %}">Change BOF request text</a></p>
{% endif %}
{% endif %}