From 649607984b046b880fb5e4d47c2e97ab9a06c5e7 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: May 09 2017 02:13:15 +0000 Subject: Allow project-less token to change the status of an issue in the API Signed-off-by: Pierre-Yves Chibon --- diff --git a/pagure/api/issue.py b/pagure/api/issue.py index 284de20..5598e23 100644 --- a/pagure/api/issue.py +++ b/pagure/api/issue.py @@ -678,7 +678,7 @@ def api_change_status_issue(repo, issueid, username=None, namespace=None): repo = _get_repo(repo, username, namespace) _check_issue_tracker(repo) - _check_token(repo) + _check_token(repo, project_token=False) issue = _get_issue(repo, issueid) _check_ticket_access(issue) diff --git a/pagure/default_config.py b/pagure/default_config.py index b19c37c..d4e3dc5 100644 --- a/pagure/default_config.py +++ b/pagure/default_config.py @@ -239,6 +239,7 @@ CROSS_PROJECT_ACLS = [ ADMIN_API_ACLS = [ 'issue_comment', 'issue_create', + 'issue_change_status', 'pull_request_flag', 'pull_request_comment', 'pull_request_merge', diff --git a/tests/test_pagure_flask_api_issue_change_status.py b/tests/test_pagure_flask_api_issue_change_status.py index 536d85b..43265f9 100644 --- a/tests/test_pagure_flask_api_issue_change_status.py +++ b/tests/test_pagure_flask_api_issue_change_status.py @@ -82,6 +82,30 @@ class PagureFlaskApiIssueChangeStatustests(tests.Modeltests): self.session.commit() self.assertEqual(msg.title, 'Test issue #2') + # Create project-less token for user foo + item = pagure.lib.model.Token( + id='project-less-foo', + user_id=2, + project_id=None, + expiration=datetime.datetime.utcnow() + + datetime.timedelta(days=30) + ) + self.session.add(item) + self.session.commit() + tests.create_tokens_acl(self.session, token_id='project-less-foo') + + # Create project-less token for user pingou + item = pagure.lib.model.Token( + id='project-less-pingou', + user_id=1, + project_id=None, + expiration=datetime.datetime.utcnow() + + datetime.timedelta(days=30) + ) + self.session.add(item) + self.session.commit() + tests.create_tokens_acl(self.session, token_id='project-less-pingou') + def test_api_change_status_issue_invalid_project(self): """ Test the api_change_status_issue method of the flask api. """ @@ -222,6 +246,56 @@ class PagureFlaskApiIssueChangeStatustests(tests.Modeltests): data['error_code']) self.assertEqual(pagure.api.APIERROR.EINVALIDTOK.value, data['error']) + @patch('pagure.lib.notify.send_email', MagicMock(return_value=True)) + def test_api_change_status_issue_no_ticket_project_less(self): + """ Test the api_change_status_issue method of the flask api. """ + + headers = {'Authorization': 'token project-less-foo'} + + data = { + 'status': 'Fixed', + } + + # Valid request + output = self.app.post( + '/api/0/test/issue/1/status', data=data, headers=headers) + self.assertEqual(output.status_code, 403) + data = json.loads(output.data) + + self.assertDictEqual( + data, + { + "error": "You are not allowed to view this issue", + "error_code": "EISSUENOTALLOWED" + } + ) + + @patch('pagure.lib.notify.send_email', MagicMock(return_value=True)) + def test_api_change_status_issue_project_less(self): + """ Test the api_change_status_issue method of the flask api. """ + + headers = {'Authorization': 'token project-less-pingou'} + + data = { + 'status': 'Fixed', + } + + # Valid request + output = self.app.post( + '/api/0/test/issue/1/status', data=data, headers=headers) + self.assertEqual(output.status_code, 200) + data = json.loads(output.data) + + self.assertDictEqual( + data, + { + "message": [ + "Issue status updated to: Closed (was: Open)", + "Issue close_status updated to: Fixed" + ] + } + ) + if __name__ == '__main__': unittest.main(verbosity=2)