From e7f92c81fa7ef40fe1380a6e995ed2a1a8a8bfe0 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Nov 17 2017 14:18:29 +0000 Subject: Allow assignee to drop their assignment Fixes https://pagure.io/pagure/issue/2740 Signed-off-by: Pierre-Yves Chibon --- diff --git a/pagure/api/issue.py b/pagure/api/issue.py index 22f23c6..d7a02b7 100644 --- a/pagure/api/issue.py +++ b/pagure/api/issue.py @@ -110,16 +110,25 @@ def _check_private_issue_access(issue): 403, error_code=APIERROR.EISSUENOTALLOWED) -def _check_ticket_access(issue): +def _check_ticket_access(issue, assignee=False): """Check if user can access issue. Must be repo commiter or author to see private issues. :param issue: issue object + :param assignee: a boolean specifying whether to allow the assignee or not + defaults to False :raises pagure.exceptions.APIError: when access denied """ # Private tickets require commit access _check_private_issue_access(issue) # Public tickets require ticket access - if not is_repo_user(issue.project): + error = not is_repo_user(issue.project) + + if assignee: + if issue.assignee is not None \ + and issue.assignee.user == flask.g.fas_user.username: + error = False + + if error: raise pagure.exceptions.APIError( 403, error_code=APIERROR.EISSUENOTALLOWED) @@ -1037,7 +1046,7 @@ def api_assign_issue(repo, issueid, username=None, namespace=None): _check_token(repo) issue = _get_issue(repo, issueid) - _check_ticket_access(issue) + _check_ticket_access(issue, assignee=True) form = pagure.forms.AssignIssueForm(csrf_enabled=False) if form.validate_on_submit(): diff --git a/tests/test_pagure_flask_api_issue.py b/tests/test_pagure_flask_api_issue.py index d7a354d..1b70cc4 100644 --- a/tests/test_pagure_flask_api_issue.py +++ b/tests/test_pagure_flask_api_issue.py @@ -2594,6 +2594,67 @@ class PagureFlaskApiIssuetests(tests.Modeltests): @patch('pagure.lib.git.update_git') @patch('pagure.lib.notify.send_email') + def test_api_assign_issue_issuer(self, p_send_email, p_ugt): + """ Test the api_assign_issue method of the flask api. """ + p_send_email.return_value = True + p_ugt.return_value = True + + tests.create_projects(self.session) + tests.create_tokens(self.session, user_id=2) + tests.create_tokens_acl(self.session) + + headers = {'Authorization': 'token aaabbbcccddd'} + + # Create normal issue + repo = pagure.get_authorized_project(self.session, 'test') + msg = pagure.lib.new_issue( + session=self.session, + repo=repo, + title='Test issue #1', + content='We should work on this', + user='pingou', + ticketfolder=None, + private=False, + issue_uid='aaabbbccc#1', + assignee='foo', + ) + self.session.commit() + self.assertEqual(msg.title, 'Test issue #1') + + # Check comments before + repo = pagure.get_authorized_project(self.session, 'test') + issue = pagure.lib.search_issues(self.session, repo, issueid=1) + self.assertEqual(len(issue.comments), 0) + + # Un-assign + data = {'assignee': None} + output = self.app.post( + '/api/0/test/issue/1/assign', data={}, headers=headers) + self.assertEqual(output.status_code, 200) + data = json.loads(output.data) + self.assertDictEqual( + data, + {'message': 'Assignee reset'} + ) + + # No longer allowed to self-assign since no access + data = { + 'assignee': 'foo', + } + output = self.app.post( + '/api/0/test/issue/1/assign', data=data, headers=headers) + self.assertEqual(output.status_code, 403) + data = json.loads(output.data) + self.assertDictEqual( + data, + { + u'error': u'You are not allowed to view this issue', + u'error_code': u'EISSUENOTALLOWED' + } + ) + + @patch('pagure.lib.git.update_git') + @patch('pagure.lib.notify.send_email') def test_api_subscribe_issue(self, p_send_email, p_ugt): """ Test the api_subscribe_issue method of the flask api. """ p_send_email.return_value = True