From 13217be939278a483e77e46fd1e1dd5081d7a829 Mon Sep 17 00:00:00 2001 From: Kevin Morris Date: Tue, 8 Mar 2022 17:49:21 -0800 Subject: [PATCH] fix: don't check suspension for ownership changes People can change comaintainer ownership to suspended users if they want to. Suspended users cannot login, so there is no breach of security here. It does make sense to allow ownership to be changed, imo. Closes #339 Signed-off-by: Kevin Morris --- aurweb/scripts/notify.py | 5 +---- aurweb/testing/email.py | 9 +++++++++ test/test_notify.py | 15 +++++++++++++++ 3 files changed, 25 insertions(+), 4 deletions(-) diff --git a/aurweb/scripts/notify.py b/aurweb/scripts/notify.py index c823b09e..dbef3aa5 100755 --- a/aurweb/scripts/notify.py +++ b/aurweb/scripts/notify.py @@ -399,10 +399,7 @@ class ComaintainershipEventNotification(Notification): self._pkgbase = db.query(PackageBase.Name).filter( PackageBase.ID == pkgbase_id).first().Name - user = db.query(User).filter( - and_(User.ID == uid, - User.Suspended == 0) - ).with_entities( + user = db.query(User).filter(User.ID == uid).with_entities( User.Email, User.LangPreference ).first() diff --git a/aurweb/testing/email.py b/aurweb/testing/email.py index c0be2797..b3e3990b 100644 --- a/aurweb/testing/email.py +++ b/aurweb/testing/email.py @@ -37,6 +37,15 @@ class Email: if autoparse: self._parse() + @staticmethod + def reset() -> None: + # Cleanup all email files for this test suite. + prefix = Email.email_prefix(suite=True) + files = os.listdir(Email.TEST_DIR) + for file in files: + if file.startswith(prefix): + os.remove(os.path.join(Email.TEST_DIR, file)) + @staticmethod def email_prefix(suite: bool = False) -> str: """ diff --git a/test/test_notify.py b/test/test_notify.py index a8e994c5..2009e3a8 100644 --- a/test/test_notify.py +++ b/test/test_notify.py @@ -299,6 +299,21 @@ You were removed from the co-maintainer list of {pkgbase.Name} [1]. assert email.body == expected +def test_suspended_ownership_change(user: User, pkgbases: List[PackageBase]): + with db.begin(): + user.Suspended = 1 + + pkgbase = pkgbases[0] + notif = notify.ComaintainerAddNotification(user.ID, pkgbase.ID) + notif.send() + assert Email.count() == 1 + + Email.reset() # Clear the Email pool + notif = notify.ComaintainerRemoveNotification(user.ID, pkgbase.ID) + notif.send() + assert Email.count() == 1 + + def test_delete(user: User, user2: User, pkgbases: List[PackageBase]): pkgbase = pkgbases[0] notif = notify.DeleteNotification(user2.ID, pkgbase.ID)