def initialize(self):
"""Redirect the request to the URL of the file in the Librarian."""
# Refuse to serve restricted files. We're not sure that no
# restricted files are being leaked in the traversal hierarchy.
assert not self.context.restricted
# If the LFA is deleted, throw a 410.
if self.context.deleted:
raise GoneError("File deleted.")
self.request.response.redirect(self.context.getURL())
def test_ignored_exceptions_for_offsite_referer_not_reported(self):
# Oopses are not reported when Launchpad is not the referer.
utility = ErrorReportingUtility()
utility._oops_config.publisher = None
# There is no HTTP_REFERER header in this request
request = TestRequest(
environ={'SERVER_URL': 'http://launchpad.dev/fnord'})
try:
raise GoneError('fnord')
except GoneError:
self.assertEqual(None, utility.raising(sys.exc_info(), request))
def test_ignored_exceptions_for_criss_cross_vhost_referer_reported(self):
# Oopses are reported when a Launchpad referer for a bad URL on a
# vhost that caused an exception.
utility = ErrorReportingUtility()
utility._oops_config.publisher = None
request = TestRequest(
environ={
'SERVER_URL': 'http://bazaar.launchpad.dev/fnord',
'HTTP_REFERER': 'http://launchpad.dev/snarf'
})
try:
raise GoneError('fnord')
except GoneError:
self.assertNotEqual(None, utility.raising(sys.exc_info(), request))
def test_ignored_exceptions_for_offsite_referer_reported(self):
# Oopses are reported when Launchpad is the referer for a URL
# that caused an exception.
utility = ErrorReportingUtility()
del utility._oops_config.publishers[:]
request = TestRequest(
environ={
'SERVER_URL': 'http://launchpad.dev/fnord',
'HTTP_REFERER': 'http://launchpad.dev/snarf'
})
try:
raise GoneError('fnord')
except GoneError:
self.assertNotEqual(None, utility.raising(sys.exc_info(), request))
def test_GoneError(self):
error = GoneError('User is suspended')
view = create_view(error, 'index.html')
self.assertEqual('Error: Page gone', view.page_title)
self.assertEqual(410, view.request.response.getStatus())
def traverse(self, name):
if name in self.stepto_utilities:
return getUtility(self.stepto_utilities[name])
if name == '~':
person = getUtility(ILaunchBag).user
if person is None:
raise Unauthorized()
# Keep the context and the subtree so that
# bugs.l.n/~/+assignedbugs goes to the person's canonical
# assigned list.
return self.redirectSubTree(
canonical_url(self.context) + "~"
+ canonical_name(person.name),
status=302)
elif name.startswith('~'): # Allow traversal to ~foo for People
if canonical_name(name) != name:
# (for instance, uppercase username?)
if self.request.method == 'POST':
raise POSTToNonCanonicalURL
return self.redirectSubTree(
canonical_url(self.context) + canonical_name(name),
status=301)
else:
person = getUtility(IPersonSet).getByName(name[1:])
if person is None:
return person
# Check to see if this is a team, and if so, whether the
# logged in user is allowed to view the team, by virtue of
# team membership or Launchpad administration.
if (person.is_team and
not check_permission('launchpad.LimitedView', person)):
return None
# Only admins are permitted to see suspended users.
if person.account_status == AccountStatus.SUSPENDED:
if not check_permission('launchpad.Moderate', person):
raise GoneError(
'User is suspended: %s' % name)
if person.account_status == AccountStatus.PLACEHOLDER:
if not check_permission('launchpad.Moderate', person):
return None
return person
# Dapper and Edgy shipped with https://launchpad.net/bazaar hard coded
# into the Bazaar Launchpad plugin (part of Bazaar core). So in theory
# we need to support this URL until 2011 (although I suspect the API
# will break much sooner than that) or updates sent to
# {dapper,edgy}-updates. Probably all irrelevant, as I suspect the
# number of people using the plugin in edgy and dapper is 0.
if name == 'bazaar' and IXMLRPCRequest.providedBy(self.request):
return getUtility(IBazaarApplication)
# account for common typing mistakes
if canonical_name(name) != name:
if self.request.method == 'POST':
raise POSTToNonCanonicalURL
return self.redirectSubTree(
(canonical_url(self.context, request=self.request) +
canonical_name(name)),
status=301)
pillar = getUtility(IPillarNameSet).getByName(
name, ignore_inactive=False)
if pillar is None:
return None
if IProduct.providedBy(pillar):
if not pillar.active:
# Emergency brake for public but inactive products:
# These products should not be shown to ordinary users.
# The root problem is that many views iterate over products,
# inactive products included, and access attributes like
# name, displayname or call canonical_url(product) --
# and finally throw the data away, if the product is
# inactive. So we cannot make these attributes inaccessible
# for inactive public products. On the other hand, we
# require the permission launchpad.View to protect private
# products.
# This means that we cannot simply check if the current
# user has the permission launchpad.View for an inactive
# product.
user = getUtility(ILaunchBag).user
if user is None:
return None
user = IPersonRoles(user)
if (not user.in_commercial_admin and not user.in_admin and
not user.in_registry_experts):
return None
if check_permission('launchpad.LimitedView', pillar):
if pillar.name != name:
# This pillar was accessed through one of its aliases, so we
# must redirect to its canonical URL.
return self.redirectSubTree(
canonical_url(pillar, self.request), status=301)
return pillar
return None