Fix some security assertions and tests.

Fix some security assertions in mailgw to only assert Edit permissions if
the user is editing an existing db node. If not then check Create.

Fix some tests that were broken by the new assertions, the Create ->
Register change and finally for the new "not registered" message.

Author: Richard Jones

CHANGES.txt

@@ -1,7 +1,7 @@
 This file contains the changes to the Roundup system over time. The entries
 are given with the most recent entry first.
 
-2009-XX-XX 1.4.XX (rXXXX)
+2009-12-XX 1.4.11 (rXXXX)
 
 Features:
 - Generic class editor may now restore retired items (thanks Ralf Hemmecke)

roundup/mailgw.py

@@ -1296,8 +1296,8 @@ def pgp_role():
         #
         # handle the attachments
         #
-        if properties.has_key('files'):
-            files = []
+        files = []
+        if attachments and properties.has_key('files'):
             for (name, mime_type, data) in attachments:
                 if not self.db.security.hasPermission('Create', author, 'file'):
                     raise Unauthorized, _(
@@ -1311,8 +1311,8 @@ def pgp_role():
                     pass
                 else:
                     files.append(fileid)
-            # attach the files to the issue
-            if not self.db.security.hasPermission('Edit', author,
+            # allowed to attach the files to an existing node?
+            if nodeid and not self.db.security.hasPermission('Edit', author,
                     classname, 'files'):
                 raise Unauthorized, _(
                     'You are not permitted to add files to %(classname)s.'
@@ -1345,8 +1345,8 @@ def pgp_role():
 Mail message was rejected by a detector.
 %(error)s
 """) % locals()
-            # attach the message to the node
-            if not self.db.security.hasPermission('Edit', author,
+            # allowed to attach the message to the existing node?
+            if nodeid and not self.db.security.hasPermission('Edit', author,
                     classname, 'messages'):
                 raise Unauthorized, _(
                     'You are not permitted to add messages to %(classname)s.'
@@ -1372,16 +1372,21 @@ def pgp_role():
                 if not props.has_key(prop) :
                     props[prop] = issue_props[prop]
 
-            # Check permissions for each property
-            for prop in props.keys():
-                if not self.db.security.hasPermission('Edit', author,
-                        classname, prop):
-                    raise Unauthorized, _('You are not permitted to edit '
-                        'property %(prop)s of class %(classname)s.') % locals()
-
             if nodeid:
+                # Check permissions for each property
+                for prop in props.keys():
+                    if not self.db.security.hasPermission('Edit', author,
+                            classname, prop):
+                        raise Unauthorized, _('You are not permitted to edit '
+                            'property %(prop)s of class %(classname)s.') % locals()
                 cl.set(nodeid, **props)
             else:
+                # Check permissions for each property
+                for prop in props.keys():
+                    if not self.db.security.hasPermission('Create', author,
+                            classname, prop):
+                        raise Unauthorized, _('You are not permitted to set '
+                            'property %(prop)s of class %(classname)s.') % locals()
                 nodeid = cl.create(**props)
         except (TypeError, IndexError, ValueError, exceptions.Reject), message:
             raise MailUsageError, _("""

test/db_test_base.py

@@ -113,6 +113,9 @@ def setupSchema(db, create, module):
         priority.create(name="bug", order="1")
     db.commit()
 
+    # nosy tests require this
+    db.security.addPermissionToRole('User', 'View', 'msg')
+
 class MyTestCase(unittest.TestCase):
     def tearDown(self):
         if hasattr(self, 'db'):

test/test_mailgw.py

@@ -1046,7 +1046,7 @@ def hook (db, **kw):
             # Add Web Access role to anonymous, and try again to make sure
             # we get a "please register at:" message this time.
             p = [
-                db.security.getPermission('Create', 'user'),
+                db.security.getPermission('Register', 'user'),
                 db.security.getPermission('Web Access', None),
             ]
             db.security.role['anonymous'].permissions=p
@@ -1078,7 +1078,7 @@ def hook (db, **kw):
             ''' set up callback for db open '''
             # now with the permission
             p = [
-                db.security.getPermission('Create', 'user'),
+                db.security.getPermission('Register', 'user'),
                 db.security.getPermission('Email Access', None),
             ]
             db.security.role['anonymous'].permissions=p
@@ -1088,7 +1088,7 @@ def hook (db, **kw):
         m.sort()
         self.assertNotEqual(l, m)
 
-    def testNewUserAuthorHighBit(self):
+    def testNewUserAuthorEncodedName(self):
         l = set(self.db.user.list())
         # From: name has Euro symbol in it
         message = '''Content-Type: text/plain;
@@ -1103,10 +1103,12 @@ def testNewUserAuthorHighBit(self):
         def hook (db, **kw):
             ''' set up callback for db open '''
             p = [
-                db.security.getPermission('Create', 'user'),
+                db.security.getPermission('Register', 'user'),
                 db.security.getPermission('Email Access', None),
+                db.security.getPermission('Create', 'issue'),
+                db.security.getPermission('Create', 'msg'),
             ]
-            db.security.role['anonymous'].permissions=p
+            db.security.role['anonymous'].permissions = p
         self.instance.schema_hook = hook
         self._handle_mail(message)
         m = set(self.db.user.list())
@@ -1153,7 +1155,11 @@ def testUnknownUser(self):
 
 
 
-You are not a registered user.
+You are not a registered user. Please register at:
+
+http://tracker.example/cgi-bin/roundup.cgi/bugs/user?template=register
+
+...before sending mail to the tracker.
 
 Unknown address: [email protected]