pagure

Clone

#999 Allow only repo_admins to assign PRs
Merged 7 years ago by pingou. Opened 7 years ago by ryanlerch.
ryanlerch/pagure restrict-PR-assignment  into  master

file modified
+3 -3 
@@ -556,7 +556,7 @@ 
 

  

      <div class="card">
 

        <div class="card-block">
 

-         {% if authenticated and mergeform and pull_request.status == 'Open' %}
 

+         {% if authenticated and mergeform and pull_request.status == 'Open' and repo_admin %}
 

            <form method="POST" action="{{ url_for('.set_assignee_requests',
 

                username=username, repo=repo.name, requestid=requestid) }}">
 

              <fieldset class="form-group issue-metadata-form">
 
@@ -571,10 +571,10 @@ 
 

                <fieldset class="form-group issue-metadata-display">
 

                  <label><strong>Assignee</strong></label>
 

                  <div>
 

-                   {{ pull_request.assignee.username or '' }}
 

+                   {{ pull_request.assignee.username or 'Unassigned' }}
 

                  </div>
 

                </fieldset>
 

-         {% if authenticated and mergeform and pull_request.status == 'Open' %}
 

+         {% if authenticated and mergeform and pull_request.status == 'Open' and repo_admin %}
 

                <input type="submit" class="btn btn-primary issue-metadata-form" value="Update">
 

                <a class="btn btn-secondary issue-metadata-form editmetadatatoggle" >cancel</a>
 

              </form>

file modified
+3 
@@ -799,6 +799,9 @@ 
 

      if request.status != 'Open':
 

          flask.abort(403, 'Pull-request closed')
 

  

+     if not is_repo_admin(repo):
 

+         flask.abort(403, 'You are not allowed to assign this pull-request')
 

+ 

      form = pagure.forms.ConfirmationForm()
 

      if form.validate_on_submit():
 

          try:

file modified
+15 -6 
@@ -1173,10 +1173,10 @@ 
 

              os.path.join(tests.HERE, 'requests'), bare=True)
 

          self.set_up_git_repo(new_project=None, branch_from='feature')
 

  

-         # No such project
 

          user = tests.FakeUser()
 

-         user.username = 'foo'
 

+         user.username = 'pingou'
 

          with tests.user_set(pagure.APP, user):
 

+             # No such project
 

              output = self.app.post('/foo/pull-request/1/assign')
 

              self.assertEqual(output.status_code, 404)
 

  
@@ -1192,7 +1192,7 @@ 
 

                  'Pagure</title>', output.data)
 

              self.assertIn(
 

                  '<h3><span class="label label-default">PR#1</span>\n'
 

-                 '  PR from the feature branch\n</h3>', output.data)
 

+                 '  PR from the feature branch\n', output.data)
 

              self.assertNotIn(
 

                  '</button>\n                      Request assigned',
 

                  output.data)
 
@@ -1217,7 +1217,7 @@ 
 

                  'Pagure</title>', output.data)
 

              self.assertIn(
 

                  '<h3><span class="label label-default">PR#1</span>\n'
 

-                 '  PR from the feature branch\n</h3>', output.data)
 

+                 '  PR from the feature branch\n', output.data)
 

              self.assertNotIn(
 

                  '</button>\n                      Request assigned',
 

                  output.data)
 
@@ -1237,7 +1237,7 @@ 
 

                  'Pagure</title>', output.data)
 

              self.assertIn(
 

                  '<h3><span class="label label-default">PR#1</span>\n'
 

-                 '  PR from the feature branch\n</h3>', output.data)
 

+                 '  PR from the feature branch\n', output.data)
 

              self.assertIn(
 

                  '</button>\n                      No user &#34;bar&#34; found',
 

                  output.data)
 
@@ -1248,6 +1248,15 @@ 
 

                  'user': 'pingou',
 

              }
 

  

+         user.username = 'foo'
 

+         with tests.user_set(pagure.APP, user):
 

+             output = self.app.post(
 

+                 '/test/pull-request/1/assign', data=data,
 

+                 follow_redirects=True)
 

+             self.assertEqual(output.status_code, 403)
 

+ 

+         user.username = 'pingou'
 

+         with tests.user_set(pagure.APP, user):
 

              output = self.app.post(
 

                  '/test/pull-request/1/assign', data=data,
 

                  follow_redirects=True)
 
@@ -1257,7 +1266,7 @@ 
 

                  'Pagure</title>', output.data)
 

              self.assertIn(
 

                  '<h3><span class="label label-default">PR#1</span>\n'
 

-                 '  PR from the feature branch\n</h3>', output.data)
 

+                 '  PR from the feature branch\n', output.data)
 

              self.assertIn(
 

                  '</button>\n                      Request assigned',
 

                  output.data)

Changes the PR assignment permission to only allow
repo admins to assign PRs, which is the same as the
current behaviour for assigning Issues.

Fixes #985

Should we check that we get a 403 if user is foo?

1 new commit added

  • Ensure we test that non-admin cannot assign PR
7 years ago

Test adjusted, merging :)

Thanks @ryanlerch

Pull-Request has been merged by pingou
7 years ago
Metadata
None
No Tags
Changes Summary 3
+3 -3
file changed
pagure/templates/pull_request.html
+3 -0
file changed
pagure/ui/fork.py
+15 -6
file changed
tests/test_pagure_flask_ui_fork.py
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.