From 97f498614b873351c858b5cb8bd4929f22e0be03 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Jun 12 2017 18:01:49 +0000 Subject: Return a 404 on private ticket if the user is not authenticated Fixes https://pagure.io/pagure/issue/2320 --- diff --git a/pagure/ui/issues.py b/pagure/ui/issues.py index 07dcdbd..3b8b5a9 100644 --- a/pagure/ui/issues.py +++ b/pagure/ui/issues.py @@ -997,11 +997,11 @@ def view_issue(repo, issueid, username=None, namespace=None): if issue is None or issue.project != repo: flask.abort(404, 'Issue not found') - if issue.private and not flask.g.repo_committer \ - and (not authenticated() or - not issue.user.user == flask.g.fas_user.username): - flask.abort( - 403, 'This issue is private and you are not allowed to view it') + if issue.private: + if not authenticated() or ( + not flask.g.repo_committer + and issue.user.user != flask.g.fas_user.username): + flask.abort(404, 'Issue not found') status = pagure.lib.get_issue_statuses(SESSION) diff --git a/tests/test_pagure_flask_ui_issues.py b/tests/test_pagure_flask_ui_issues.py index 48212f5..ed9a1ef 100644 --- a/tests/test_pagure_flask_ui_issues.py +++ b/tests/test_pagure_flask_ui_issues.py @@ -567,13 +567,13 @@ class PagureFlaskIssuestests(tests.Modeltests): # Not logged in output = self.app.get('/test/issue/2') - self.assertEqual(output.status_code, 403) + self.assertEqual(output.status_code, 404) # Wrong user user = tests.FakeUser() with tests.user_set(pagure.APP, user): output = self.app.get('/test/issue/2') - self.assertEqual(output.status_code, 403) + self.assertEqual(output.status_code, 404) # reporter user.username = 'pingou' diff --git a/tests/test_pagure_flask_ui_issues_acl_checks.py b/tests/test_pagure_flask_ui_issues_acl_checks.py index e0e4457..7f3bdec 100644 --- a/tests/test_pagure_flask_ui_issues_acl_checks.py +++ b/tests/test_pagure_flask_ui_issues_acl_checks.py @@ -277,13 +277,13 @@ class PagureFlaskIssuesACLtests(tests.Modeltests): # Not logged in output = self.app.get('/test/issue/2') - self.assertEqual(output.status_code, 403) + self.assertEqual(output.status_code, 404) # Wrong user user = tests.FakeUser() with tests.user_set(pagure.APP, user): output = self.app.get('/test/issue/2') - self.assertEqual(output.status_code, 403) + self.assertEqual(output.status_code, 404) # reporter user.username = 'pingou' @@ -540,13 +540,13 @@ class PagureFlaskIssuesACLtests(tests.Modeltests): # Not logged in output = self.app.get('/test/issue/2') - self.assertEqual(output.status_code, 403) + self.assertEqual(output.status_code, 404) # Wrong user user = tests.FakeUser() with tests.user_set(pagure.APP, user): output = self.app.get('/test/issue/2') - self.assertEqual(output.status_code, 403) + self.assertEqual(output.status_code, 404) # reporter user.username = 'pingou' @@ -802,13 +802,13 @@ class PagureFlaskIssuesACLtests(tests.Modeltests): # Not logged in output = self.app.get('/test/issue/2') - self.assertEqual(output.status_code, 403) + self.assertEqual(output.status_code, 404) # Wrong user user = tests.FakeUser() with tests.user_set(pagure.APP, user): output = self.app.get('/test/issue/2') - self.assertEqual(output.status_code, 403) + self.assertEqual(output.status_code, 404) # reporter user.username = 'pingou' @@ -1065,13 +1065,13 @@ class PagureFlaskIssuesACLtests(tests.Modeltests): # Not logged in output = self.app.get('/test/issue/2') - self.assertEqual(output.status_code, 403) + self.assertEqual(output.status_code, 404) # Wrong user user = tests.FakeUser() with tests.user_set(pagure.APP, user): output = self.app.get('/test/issue/2') - self.assertEqual(output.status_code, 403) + self.assertEqual(output.status_code, 404) # reporter user.username = 'pingou'