-
-
/trunk/reviewboard/accounts/decorators.py (Diff revision 1) This is introducing a really ugly cross-dependency between modules. Maybe create a new reviews/decorators.py?
-
/trunk/reviewboard/accounts/decorators.py (Diff revision 1) It might be nice to come up with a shorter name. Maybe just owner_required?
-
/trunk/reviewboard/accounts/decorators.py (Diff revision 1) This should document the usage of perms and only_unpublic
-
-
-
/trunk/reviewboard/accounts/decorators.py (Diff revision 1) I think I'd prefer "only_nonpublic" instead of "only_unpublic"
-
/trunk/reviewboard/accounts/decorators.py (Diff revision 1) I think this makes a little more sense as 404 instead of forbidden.
Issue 379: Shouldn't access to unpublished review requests.
Review Request #366 — Created April 23, 2008 and submitted
Information | |
---|---|
zawatak | |
Review Board SVN (deprecated) | |
trunk | |
379 | |
Reviewers | |
reviewboard | |
This fix limits access to unpublished review requests. Only the submitter and people who has permission should be able to access the review request. I define a decorator maker at reviewboad/accounts/decorators.py, and decorate review_request views. Current code uses raise HttpResponseForbidden() But it should be return HttpResponseForbidden("Error Message HTML") or from django.core.exceptions import PermissionDenied raise PermissionDenied I use HttpResponseForbidden, but error message is hard coded and very cheep. Maybe we can refactor it later to something like "templates/404.html" way of django.http.Http404. ------------------------------------ According to David's review, * moved decorators.py to reviewboard/reviews/ * changed a parameter name from only_unpublic to only_nonpublic * changed from returning HttpForbidden to raising Http404 when permission doesn't match Thanks for reviwing.
Tested on my local machine. Post new review request but not publish. Access the urls (/r/<id>/, /r/<id>/diff, and so on) as another user.