Merge pull request #863 from taigaio/issue/4679/comment-permission-isnt-working-for-external-users

Issue 4679: Comment permission isn't working for external users
2016-10-21 14:13:02 +02:00 · 2016-10-21 14:13:02 +02:00 · a7ca948ddc
parent bc726cbcda 6144100713
commit a7ca948ddc
5 changed files with 13 additions and 21 deletions
--- a/taiga/permissions/permissions.py
+++ b/taiga/permissions/permissions.py
@ -74,18 +74,10 @@ class CommentAndOrUpdatePerm(PermissionComponent):
        else:
            project = obj.project

-        data_keys = request.DATA.keys()
+        data_keys = set(request.DATA.keys()) - {"version"}
+        just_a_comment = data_keys == {"comment"}

-        if (not services.user_has_perm(request.user, self.comment_perm, project) and
-            "comment" in data_keys):
-                # User can't comment but there is a comment in the request
-                #raise exc.PermissionDenied(_("You don't have permissions to comment this."))
-                return False
+        if (just_a_comment and services.user_has_perm(request.user, self.comment_perm, project)):
+                return True

-        if (not services.user_has_perm(request.user, self.update_perm, project) and
-            len(data_keys - "comment")):
-                # User can't update but there is a change in the request
-                #raise exc.PermissionDenied(_("You don't have permissions to update this."))
-                return False
-
-        return True
+        return services.user_has_perm(request.user, self.update_perm, project)
--- a/tests/integration/resources_permissions/test_epics_resources.py
+++ b/tests/integration/resources_permissions/test_epics_resources.py
@ -58,7 +58,7 @@ def data():

    m.public_project = f.ProjectFactory(is_private=False,
                                        anon_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)),
-                                        public_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)),
+                                        public_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)) + ["comment_epic"],
                                        owner=m.project_owner,
                                        epics_csv_uuid=uuid.uuid4().hex)
    m.public_project = attach_project_extra_info(Project.objects.all()).get(id=m.public_project.id)
@ -550,7 +550,7 @@ def test_epic_patch_comment(client, data):
    with mock.patch.object(OCCResourceMixin, "_validate_and_update_version"):
        patch_data = json.dumps({"comment": "test comment", "version": data.public_epic.version})
        results = helper_test_http_method(client, 'patch', public_url, patch_data, users)
-        assert results == [401, 403, 403, 200, 200]
+        assert results == [401, 200, 200, 200, 200]

        patch_data = json.dumps({"comment": "test comment", "version": data.private_epic1.version})
        results = helper_test_http_method(client, 'patch', private_url1, patch_data, users)
--- a/tests/integration/resources_permissions/test_issues_resources.py
+++ b/tests/integration/resources_permissions/test_issues_resources.py
@ -62,7 +62,7 @@ def data():

    m.public_project = f.ProjectFactory(is_private=False,
                                        anon_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)),
-                                        public_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)),
+                                        public_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)) + ["comment_issue"],
                                        owner=m.project_owner,
                                        issues_csv_uuid=uuid.uuid4().hex)
    m.public_project = attach_project_extra_info(Project.objects.all()).get(id=m.public_project.id)
@ -592,7 +592,7 @@ def test_issue_patch_comment(client, data):
    with mock.patch.object(OCCResourceMixin, "_validate_and_update_version"):
        patch_data = json.dumps({"comment": "test comment", "version": data.public_issue.version})
        results = helper_test_http_method(client, 'patch', public_url, patch_data, users)
-        assert results == [401, 403, 403, 200, 200]
+        assert results == [401, 200, 200, 200, 200]

        patch_data = json.dumps({"comment": "test comment", "version": data.private_issue1.version})
        results = helper_test_http_method(client, 'patch', private_url1, patch_data, users)
--- a/tests/integration/resources_permissions/test_tasks_resources.py
+++ b/tests/integration/resources_permissions/test_tasks_resources.py
@ -58,7 +58,7 @@ def data():

    m.public_project = f.ProjectFactory(is_private=False,
                                        anon_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)),
-                                        public_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)),
+                                        public_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)) + ["comment_task"],
                                        owner=m.project_owner,
                                        tasks_csv_uuid=uuid.uuid4().hex)
    m.public_project = attach_project_extra_info(Project.objects.all()).get(id=m.public_project.id)
@ -556,7 +556,7 @@ def test_task_patch_comment(client, data):
    with mock.patch.object(OCCResourceMixin, "_validate_and_update_version"):
        patch_data = json.dumps({"comment": "test comment", "version": data.public_task.version})
        results = helper_test_http_method(client, 'patch', public_url, patch_data, users)
-        assert results == [401, 403, 403, 200, 200]
+        assert results == [401, 200, 200, 200, 200]

        patch_data = json.dumps({"comment": "test comment", "version": data.private_task1.version})
        results = helper_test_http_method(client, 'patch', private_url1, patch_data, users)
--- a/tests/integration/resources_permissions/test_userstories_resources.py
+++ b/tests/integration/resources_permissions/test_userstories_resources.py
@ -64,7 +64,7 @@ def data():
    m.public_points = f.PointsFactory()
    m.public_project = f.ProjectFactory(is_private=False,
                                        anon_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)),
-                                        public_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)),
+                                        public_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)) + ["comment_us"],
                                        owner=m.project_owner,
                                        userstories_csv_uuid=uuid.uuid4().hex,
                                        default_points=m.public_points)
@ -544,7 +544,7 @@ def test_user_story_patch_comment(client, data):
    with mock.patch.object(OCCResourceMixin, "_validate_and_update_version"):
        patch_data = json.dumps({"comment": "test comment", "version": data.public_user_story.version})
        results = helper_test_http_method(client, 'patch', public_url, patch_data, users)
-        assert results == [401, 403, 403, 200, 200]
+        assert results == [401, 200, 200, 200, 200]

        patch_data = json.dumps({"comment": "test comment", "version": data.private_user_story1.version})
        results = helper_test_http_method(client, 'patch', private_url1, patch_data, users)