fix: don't check suspension for ownership changes

People can change comaintainer ownership to suspended users if they want to. Suspended users cannot login, so there is no breach of security here. It does make sense to allow ownership to be changed, imo. Closes #339 Signed-off-by: Kevin Morris <kevr@0cost.org>
2025-02-03 10:43:03 +01:00 · 2022-03-08 17:49:21 -08:00 · 2022-03-08 17:49:21 -08:00 · 13217be939
commit 13217be939
parent e2a17fef95
3 changed files with 25 additions and 4 deletions
--- a/aurweb/scripts/notify.py
+++ b/aurweb/scripts/notify.py
@ -399,10 +399,7 @@ class ComaintainershipEventNotification(Notification):
        self._pkgbase = db.query(PackageBase.Name).filter(
            PackageBase.ID == pkgbase_id).first().Name

-        user = db.query(User).filter(
-            and_(User.ID == uid,
-                 User.Suspended == 0)
-        ).with_entities(
+        user = db.query(User).filter(User.ID == uid).with_entities(
            User.Email,
            User.LangPreference
        ).first()
--- a/aurweb/testing/email.py
+++ b/aurweb/testing/email.py
@ -37,6 +37,15 @@ class Email:
        if autoparse:
            self._parse()

+    @staticmethod
+    def reset() -> None:
+        # Cleanup all email files for this test suite.
+        prefix = Email.email_prefix(suite=True)
+        files = os.listdir(Email.TEST_DIR)
+        for file in files:
+            if file.startswith(prefix):
+                os.remove(os.path.join(Email.TEST_DIR, file))
+
    @staticmethod
    def email_prefix(suite: bool = False) -> str:
        """
--- a/test/test_notify.py
+++ b/test/test_notify.py
@ -299,6 +299,21 @@ You were removed from the co-maintainer list of {pkgbase.Name} [1].
    assert email.body == expected


+def test_suspended_ownership_change(user: User, pkgbases: List[PackageBase]):
+    with db.begin():
+        user.Suspended = 1
+
+    pkgbase = pkgbases[0]
+    notif = notify.ComaintainerAddNotification(user.ID, pkgbase.ID)
+    notif.send()
+    assert Email.count() == 1
+
+    Email.reset()  # Clear the Email pool
+    notif = notify.ComaintainerRemoveNotification(user.ID, pkgbase.ID)
+    notif.send()
+    assert Email.count() == 1
+
+
 def test_delete(user: User, user2: User, pkgbases: List[PackageBase]):
    pkgbase = pkgbases[0]
    notif = notify.DeleteNotification(user2.ID, pkgbase.ID)