After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 614814 - [security] When browsing anonymously, non-public notebook names should not be visible
[security] When browsing anonymously, non-public notebook names should not be...
Status: RESOLVED FIXED
Product: snowy
Classification: Deprecated
Component: general
git master
Other Linux
: Normal major
: 0.2
Assigned To: Jeff Schroeder
snowy-maint
Depends on:
Blocks:
 
 
Reported: 2010-04-04 16:09 UTC by Sandy Armstrong
Modified: 2010-08-07 04:09 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
fix (2.34 KB, patch)
2010-08-04 03:53 UTC, Jeff Schroeder 		needs-work Details | Review
Proper fix (2.55 KB, patch)
2010-08-04 05:20 UTC, Jeff Schroeder 		needs-work Details | Review
Version 3 of the patch (3.21 KB, patch)
2010-08-05 02:17 UTC, Jeff Schroeder 		accepted-commit_now Details | Review
Same thing v4 (3.22 KB, patch)
2010-08-06 03:30 UTC, Jeff Schroeder 		needs-work Details | Review
v5 (3.23 KB, patch)
2010-08-06 03:43 UTC, Jeff Schroeder 		accepted-commit_now Details | Review

Description Sandy Armstrong 2010-04-04 16:09:51 UTC 
The sidebar shows all notebook names at the bottom, even if the current user does not have access to notes in those notebooks.
Comment 1 Jeff Schroeder 2010-08-04 03:53:14 UTC 
Created attachment 167082 [details] [review]
fix

Simple fix that adds a function which can easily be expanded in the future and a property which uses that function.

Also in the bugs/public-notebooks branch in my github:
http://github.com/SEJeff/snowy/commit/370bb92e1dc944637aedc602087f1d2a0da9c40c
Comment 2 Jeff Schroeder 2010-08-04 04:06:29 UTC 
Review of attachment 167082 [details] [review]:

Found a bug in this patch. It filters notebooks with 0 public notes when logged in as the author.
Comment 3 Jeff Schroeder 2010-08-04 05:20:47 UTC 
Created attachment 167086 [details] [review]
Proper fix

The logic is something like:
if NoteBooks.is_public or if NoteBook.author == request.user:
    show_notebook_in_sidebar()

django 1.2's smarter if tags obsolete the ifequal nastiness:
http://docs.djangoproject.com/en/1.2/releases/1.2/#new-in-1-2-smart-if
Comment 4 Jeff Schroeder 2010-08-04 05:28:55 UTC 
And new github commit:
http://github.com/SEJeff/snowy/commit/2ccfba7ba782fb393d5c4e1bf9395a4a8917f7b6
Comment 5 Brad Taylor 2010-08-04 12:36:55 UTC 
Review of attachment 167086 [details] [review]:

::: notes/models.py
@@ +91,3 @@
+        # This will need to be expanded once a more
+        # fine-grained permissions system is in place.
+        if filter(lambda note: note.permissions, self.note_set.all() ):

Hmm, this is going to have *ugly* performance implications.  Can you make this happen in a query, e.g.:

if self.note_set.all().filter(note__permissions_gt=0).count():

or somesuch?
Comment 6 Jeff Schroeder 2010-08-05 02:17:15 UTC 
Created attachment 167156 [details] [review]
Version 3 of the patch

This patch addresses brad's comment, adds the check to note_index.html as well, and separates out the shared template code to _display_notebooks.html.
Comment 7 Brad Taylor 2010-08-05 11:34:32 UTC 
Review of attachment 167156 [details] [review]:

In general, looks good.  Just one small nitpick:

::: notes/templates/notes/_display_notebooks.html
@@ +1,1 @@
+{% comment %}In the spirit of D.R.Y.{% endcomment %}

Let's name this file notebook_list_snippet.html to be similar to note_list_snippet.html.
Comment 8 Jeff Schroeder 2010-08-06 03:30:01 UTC 
Created attachment 167228 [details] [review]
Same thing v4

Round 4, fight!
Comment 9 Jeff Schroeder 2010-08-06 03:33:21 UTC 
Review of attachment 167228 [details] [review]:

Disregard and sorry for bugspam.
Comment 10 Jeff Schroeder 2010-08-06 03:43:11 UTC 
Created attachment 167229 [details] [review]
v5

Hopefully this is the final iteration
Comment 11 Brad Taylor 2010-08-06 12:27:38 UTC 
Review of attachment 167229 [details] [review]:

Make it so.
Comment 12 Jeff Schroeder 2010-08-07 04:09:09 UTC 
pushed in 437f26720d647e