def is_user_authorized(org_repo, other_repo):
"""Performs authorization check with only the minimum amount of
information needed for such a check, rather than a full command
object.
"""
if (h.HasRepoPermissionLevel('read')(org_repo.repo_name) and
h.HasRepoPermissionLevel('read')(other_repo.repo_name)):
return True
return False
def post(self, repo_name, pull_request_id):
pull_request = PullRequest.get_or_404(pull_request_id)
if pull_request.is_closed():
raise HTTPForbidden()
assert pull_request.other_repo.repo_name == repo_name
# only owner or admin can update it
owner = pull_request.owner_id == request.authuser.user_id
repo_admin = h.HasRepoPermissionLevel('admin')(c.repo_name)
if not (h.HasPermissionAny('hg.admin')() or repo_admin or owner):
raise HTTPForbidden()
_form = PullRequestPostForm()().to_python(request.POST)
cur_reviewers = set(pull_request.get_reviewer_users())
new_reviewers = set(_get_reviewer(s) for s in _form['review_members'])
old_reviewers = set(
_get_reviewer(s) for s in _form['org_review_members'])
other_added = cur_reviewers - old_reviewers
other_removed = old_reviewers - cur_reviewers
if other_added:
h.flash(
_('Meanwhile, the following reviewers have been added: %s') %
(', '.join(u.username for u in other_added)),
category='warning')
if other_removed:
h.flash(
_('Meanwhile, the following reviewers have been removed: %s') %
(', '.join(u.username for u in other_removed)),
category='warning')
if _form['updaterev']:
return self.create_new_iteration(pull_request, _form['updaterev'],
_form['pullrequest_title'],
_form['pullrequest_desc'],
new_reviewers)
added_reviewers = new_reviewers - old_reviewers - cur_reviewers
removed_reviewers = (old_reviewers - new_reviewers) & cur_reviewers
old_description = pull_request.description
pull_request.title = _form['pullrequest_title']
pull_request.description = _form['pullrequest_desc'].strip() or _(
'No description')
pull_request.owner = User.get_by_username(_form['owner'])
user = User.get(request.authuser.user_id)
PullRequestModel().mention_from_description(user, pull_request,
old_description)
PullRequestModel().add_reviewers(user, pull_request, added_reviewers)
PullRequestModel().remove_reviewers(user, pull_request,
removed_reviewers)
Session().commit()
h.flash(_('Pull request updated'), category='success')
raise HTTPFound(location=pull_request.url())
def delete_comment(self, repo_name, comment_id):
co = ChangesetComment.get_or_404(comment_id)
if co.repo.repo_name != repo_name:
raise HTTPNotFound()
owner = co.author_id == request.authuser.user_id
repo_admin = h.HasRepoPermissionLevel('admin')(repo_name)
if h.HasPermissionAny('hg.admin')() or repo_admin or owner:
ChangesetCommentsModel().delete(comment=co)
Session().commit()
return True
else:
raise HTTPForbidden()
def delete_comment(self, repo_name, comment_id):
co = ChangesetComment.get(comment_id)
if co.pull_request.is_closed():
#don't allow deleting comments on closed pull request
raise HTTPForbidden()
owner = co.author_id == request.authuser.user_id
repo_admin = h.HasRepoPermissionLevel('admin')(c.repo_name)
if h.HasPermissionAny('hg.admin')() or repo_admin or owner:
ChangesetCommentsModel().delete(comment=co)
Session().commit()
return True
else:
raise HTTPForbidden()
def delete_cs_pr_comment(repo_name, comment_id):
"""Delete a comment from a changeset or pull request"""
co = ChangesetComment.get_or_404(comment_id)
if co.repo.repo_name != repo_name:
raise HTTPNotFound()
if co.pull_request and co.pull_request.is_closed():
# don't allow deleting comments on closed pull request
raise HTTPForbidden()
owner = co.author_id == request.authuser.user_id
repo_admin = h.HasRepoPermissionLevel('admin')(repo_name)
if h.HasPermissionAny('hg.admin')() or repo_admin or owner:
ChangesetCommentsModel().delete(comment=co)
Session().commit()
return True
else:
raise HTTPForbidden()
def create_cs_pr_comment(repo_name,
revision=None,
pull_request=None,
allowed_to_change_status=True):
"""
Add a comment to the specified changeset or pull request, using POST values
from the request.
Comments can be inline (when a file path and line number is specified in
POST) or general comments.
A comment can be accompanied by a review status change (accepted, rejected,
etc.). Pull requests can be closed or deleted.
Parameter 'allowed_to_change_status' is used for both status changes and
closing of pull requests. For deleting of pull requests, more specific
checks are done.
"""
assert request.environ.get('HTTP_X_PARTIAL_XHR')
if pull_request:
pull_request_id = pull_request.pull_request_id
else:
pull_request_id = None
status = request.POST.get('changeset_status')
close_pr = request.POST.get('save_close')
delete = request.POST.get('save_delete')
f_path = request.POST.get('f_path')
line_no = request.POST.get('line')
if (status or close_pr or delete) and (f_path or line_no):
# status votes and closing is only possible in general comments
raise HTTPBadRequest()
if not allowed_to_change_status:
if status or close_pr:
h.flash(_('No permission to change status'), 'error')
raise HTTPForbidden()
if pull_request and delete == "delete":
if (pull_request.owner_id == request.authuser.user_id
or h.HasPermissionAny('hg.admin')()
or h.HasRepoPermissionLevel('admin')(
pull_request.org_repo.repo_name)
or h.HasRepoPermissionLevel('admin')(
pull_request.other_repo.repo_name)
) and not pull_request.is_closed():
PullRequestModel().delete(pull_request)
Session().commit()
h.flash(_('Successfully deleted pull request %s') %
pull_request_id,
category='success')
return {
'location': h.url('my_pullrequests'), # or repo pr list?
}
raise HTTPForbidden()
text = request.POST.get('text', '').strip()
comment = ChangesetCommentsModel().create(
text=text,
repo=c.db_repo.repo_id,
author=request.authuser.user_id,
revision=revision,
pull_request=pull_request_id,
f_path=f_path or None,
line_no=line_no or None,
status_change=ChangesetStatus.get_status_lbl(status)
if status else None,
closing_pr=close_pr,
)
if status:
ChangesetStatusModel().set_status(
c.db_repo.repo_id,
status,
request.authuser.user_id,
comment,
revision=revision,
pull_request=pull_request_id,
)
if pull_request:
action = 'user_commented_pull_request:%s' % pull_request_id
else:
action = 'user_commented_revision:%s' % revision
action_logger(request.authuser, action, c.db_repo, request.ip_addr)
if pull_request and close_pr:
PullRequestModel().close_pull_request(pull_request_id)
action_logger(request.authuser,
'user_closed_pull_request:%s' % pull_request_id,
c.db_repo, request.ip_addr)
Session().commit()
data = {
'target_id': h.safeid(request.POST.get('f_path')),
}
if comment is not None:
c.comment = comment
data.update(comment.get_dict())
data.update({
'rendered_text':
render('changeset/changeset_comment_block.html')
})
return data
def comment(self, repo_name, pull_request_id):
pull_request = PullRequest.get_or_404(pull_request_id)
status = request.POST.get('changeset_status')
close_pr = request.POST.get('save_close')
delete = request.POST.get('save_delete')
f_path = request.POST.get('f_path')
line_no = request.POST.get('line')
if (status or close_pr or delete) and (f_path or line_no):
# status votes and closing is only possible in general comments
raise HTTPBadRequest()
allowed_to_change_status = self._get_is_allowed_change_status(pull_request)
if not allowed_to_change_status:
if status or close_pr:
h.flash(_('No permission to change pull request status'), 'error')
raise HTTPForbidden()
if delete == "delete":
if (pull_request.owner_id == request.authuser.user_id or
h.HasPermissionAny('hg.admin')() or
h.HasRepoPermissionLevel('admin')(pull_request.org_repo.repo_name) or
h.HasRepoPermissionLevel('admin')(pull_request.other_repo.repo_name)
) and not pull_request.is_closed():
PullRequestModel().delete(pull_request)
Session().commit()
h.flash(_('Successfully deleted pull request %s') % pull_request_id,
category='success')
return {
'location': url('my_pullrequests'), # or repo pr list?
}
raise HTTPFound(location=url('my_pullrequests')) # or repo pr list?
raise HTTPForbidden()
text = request.POST.get('text', '').strip()
comment = create_comment(
text,
status,
pull_request_id=pull_request_id,
f_path=f_path,
line_no=line_no,
closing_pr=close_pr,
)
action_logger(request.authuser,
'user_commented_pull_request:%s' % pull_request_id,
c.db_repo, request.ip_addr)
if status:
ChangesetStatusModel().set_status(
c.db_repo.repo_id,
status,
request.authuser.user_id,
comment,
pull_request=pull_request_id
)
if close_pr:
PullRequestModel().close_pull_request(pull_request_id)
action_logger(request.authuser,
'user_closed_pull_request:%s' % pull_request_id,
c.db_repo, request.ip_addr)
Session().commit()
if not request.environ.get('HTTP_X_PARTIAL_XHR'):
raise HTTPFound(location=pull_request.url())
data = {
'target_id': h.safeid(h.safe_unicode(request.POST.get('f_path'))),
}
if comment is not None:
c.comment = comment
data.update(comment.get_dict())
data.update({'rendered_text':
render('changeset/changeset_comment_block.html')})
return data