def initialize(self): """Redirect the request to the URL of the file in the Librarian.""" # Refuse to serve restricted files. We're not sure that no # restricted files are being leaked in the traversal hierarchy. assert not self.context.restricted # If the LFA is deleted, throw a 410. if self.context.deleted: raise GoneError("File deleted.") self.request.response.redirect(self.context.getURL())
def test_ignored_exceptions_for_offsite_referer_not_reported(self): # Oopses are not reported when Launchpad is not the referer. utility = ErrorReportingUtility() utility._oops_config.publisher = None # There is no HTTP_REFERER header in this request request = TestRequest( environ={'SERVER_URL': 'http://launchpad.dev/fnord'}) try: raise GoneError('fnord') except GoneError: self.assertEqual(None, utility.raising(sys.exc_info(), request))
def test_ignored_exceptions_for_criss_cross_vhost_referer_reported(self): # Oopses are reported when a Launchpad referer for a bad URL on a # vhost that caused an exception. utility = ErrorReportingUtility() utility._oops_config.publisher = None request = TestRequest( environ={ 'SERVER_URL': 'http://bazaar.launchpad.dev/fnord', 'HTTP_REFERER': 'http://launchpad.dev/snarf' }) try: raise GoneError('fnord') except GoneError: self.assertNotEqual(None, utility.raising(sys.exc_info(), request))
def test_ignored_exceptions_for_offsite_referer_reported(self): # Oopses are reported when Launchpad is the referer for a URL # that caused an exception. utility = ErrorReportingUtility() del utility._oops_config.publishers[:] request = TestRequest( environ={ 'SERVER_URL': 'http://launchpad.dev/fnord', 'HTTP_REFERER': 'http://launchpad.dev/snarf' }) try: raise GoneError('fnord') except GoneError: self.assertNotEqual(None, utility.raising(sys.exc_info(), request))
def test_GoneError(self): error = GoneError('User is suspended') view = create_view(error, 'index.html') self.assertEqual('Error: Page gone', view.page_title) self.assertEqual(410, view.request.response.getStatus())
def traverse(self, name): if name in self.stepto_utilities: return getUtility(self.stepto_utilities[name]) if name == '~': person = getUtility(ILaunchBag).user if person is None: raise Unauthorized() # Keep the context and the subtree so that # bugs.l.n/~/+assignedbugs goes to the person's canonical # assigned list. return self.redirectSubTree( canonical_url(self.context) + "~" + canonical_name(person.name), status=302) elif name.startswith('~'): # Allow traversal to ~foo for People if canonical_name(name) != name: # (for instance, uppercase username?) if self.request.method == 'POST': raise POSTToNonCanonicalURL return self.redirectSubTree( canonical_url(self.context) + canonical_name(name), status=301) else: person = getUtility(IPersonSet).getByName(name[1:]) if person is None: return person # Check to see if this is a team, and if so, whether the # logged in user is allowed to view the team, by virtue of # team membership or Launchpad administration. if (person.is_team and not check_permission('launchpad.LimitedView', person)): return None # Only admins are permitted to see suspended users. if person.account_status == AccountStatus.SUSPENDED: if not check_permission('launchpad.Moderate', person): raise GoneError( 'User is suspended: %s' % name) if person.account_status == AccountStatus.PLACEHOLDER: if not check_permission('launchpad.Moderate', person): return None return person # Dapper and Edgy shipped with https://launchpad.net/bazaar hard coded # into the Bazaar Launchpad plugin (part of Bazaar core). So in theory # we need to support this URL until 2011 (although I suspect the API # will break much sooner than that) or updates sent to # {dapper,edgy}-updates. Probably all irrelevant, as I suspect the # number of people using the plugin in edgy and dapper is 0. if name == 'bazaar' and IXMLRPCRequest.providedBy(self.request): return getUtility(IBazaarApplication) # account for common typing mistakes if canonical_name(name) != name: if self.request.method == 'POST': raise POSTToNonCanonicalURL return self.redirectSubTree( (canonical_url(self.context, request=self.request) + canonical_name(name)), status=301) pillar = getUtility(IPillarNameSet).getByName( name, ignore_inactive=False) if pillar is None: return None if IProduct.providedBy(pillar): if not pillar.active: # Emergency brake for public but inactive products: # These products should not be shown to ordinary users. # The root problem is that many views iterate over products, # inactive products included, and access attributes like # name, displayname or call canonical_url(product) -- # and finally throw the data away, if the product is # inactive. So we cannot make these attributes inaccessible # for inactive public products. On the other hand, we # require the permission launchpad.View to protect private # products. # This means that we cannot simply check if the current # user has the permission launchpad.View for an inactive # product. user = getUtility(ILaunchBag).user if user is None: return None user = IPersonRoles(user) if (not user.in_commercial_admin and not user.in_admin and not user.in_registry_experts): return None if check_permission('launchpad.LimitedView', pillar): if pillar.name != name: # This pillar was accessed through one of its aliases, so we # must redirect to its canonical URL. return self.redirectSubTree( canonical_url(pillar, self.request), status=301) return pillar return None