snuffster/szurubooru
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

server/posts: respect tag creating privilege

Browse source
This commit is contained in:
rr- 2016-08-02 12:44:38 +02:00
parent 67f803a2f2
commit 5092c2c587
5 changed files with 62 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
server/szurubooru/api/post_api.py
View file

@ -37,8 +37,10 @@ class PostListApi(BaseApi):
notes = ctx.get_param_as_list('notes', required=False) or [] notes = ctx.get_param_as_list('notes', required=False) or []
flags = ctx.get_param_as_list('flags', required=False) or [] flags = ctx.get_param_as_list('flags', required=False) or []
post = posts.create_post( post, new_tags = posts.create_post(
content, tag_names, None if anonymous else ctx.user) content, tag_names, None if anonymous else ctx.user)
if len(new_tags):
auth.verify_privilege(ctx.user, 'tags:create')
posts.update_post_safety(post, safety) posts.update_post_safety(post, safety)
posts.update_post_source(post, source) posts.update_post_source(post, source)
posts.update_post_relations(post, relations) posts.update_post_relations(post, relations)
@ -65,7 +67,9 @@ class PostDetailApi(BaseApi):
posts.update_post_content(post, ctx.get_file('content')) posts.update_post_content(post, ctx.get_file('content'))
if ctx.has_param('tags'): if ctx.has_param('tags'):
auth.verify_privilege(ctx.user, 'posts:edit:tags') auth.verify_privilege(ctx.user, 'posts:edit:tags')
posts.update_post_tags(post, ctx.get_param_as_list('tags')) new_tags = posts.update_post_tags(post, ctx.get_param_as_list('tags'))
if len(new_tags):
auth.verify_privilege(ctx.user, 'tags:create')
if ctx.has_param('safety'): if ctx.has_param('safety'):
auth.verify_privilege(ctx.user, 'posts:edit:safety') auth.verify_privilege(ctx.user, 'posts:edit:safety')
posts.update_post_safety(post, ctx.get_param_as_string('safety')) posts.update_post_safety(post, ctx.get_param_as_string('safety'))

5
server/szurubooru/func/posts.py
View file

@ -170,8 +170,8 @@ def create_post(content, tag_names, user):
db.session.flush() db.session.flush()
update_post_content(post, content) update_post_content(post, content)
update_post_tags(post, tag_names) new_tags = update_post_tags(post, tag_names)
return post return (post, new_tags)
def update_post_safety(post, safety): def update_post_safety(post, safety):
safety = util.flip(SAFETY_MAP).get(safety, None) safety = util.flip(SAFETY_MAP).get(safety, None)
@ -251,6 +251,7 @@ def generate_post_thumbnail(post):
def update_post_tags(post, tag_names): def update_post_tags(post, tag_names):
existing_tags, new_tags = tags.get_or_create_tags_by_names(tag_names) existing_tags, new_tags = tags.get_or_create_tags_by_names(tag_names)
post.tags = existing_tags + new_tags post.tags = existing_tags + new_tags
return new_tags
def update_post_relations(post, new_post_ids): def update_post_relations(post, new_post_ids):
old_posts = post.relations old_posts = post.relations

37
server/szurubooru/tests/api/test_post_creating.py
View file

@ -11,6 +11,7 @@ def inject_config(config_injector):
'privileges': { 'privileges': {
'posts:create:anonymous': db.User.RANK_REGULAR, 'posts:create:anonymous': db.User.RANK_REGULAR,
'posts:create:identified': db.User.RANK_REGULAR, 'posts:create:identified': db.User.RANK_REGULAR,
'tags:create': db.User.RANK_REGULAR,
}, },
}) })
@ -31,7 +32,7 @@ def test_creating_minimal_posts(
unittest.mock.patch('szurubooru.func.posts.serialize_post'), \ unittest.mock.patch('szurubooru.func.posts.serialize_post'), \
unittest.mock.patch('szurubooru.func.tags.export_to_json'), \ unittest.mock.patch('szurubooru.func.tags.export_to_json'), \
unittest.mock.patch('szurubooru.func.snapshots.save_entity_creation'): unittest.mock.patch('szurubooru.func.snapshots.save_entity_creation'):
posts.create_post.return_value = post posts.create_post.return_value = (post, [])
posts.serialize_post.return_value = 'serialized post' posts.serialize_post.return_value = 'serialized post'
result = api.PostListApi().post( result = api.PostListApi().post(
@ -75,7 +76,7 @@ def test_creating_full_posts(context_factory, post_factory, user_factory):
unittest.mock.patch('szurubooru.func.posts.serialize_post'), \ unittest.mock.patch('szurubooru.func.posts.serialize_post'), \
unittest.mock.patch('szurubooru.func.tags.export_to_json'), \ unittest.mock.patch('szurubooru.func.tags.export_to_json'), \
unittest.mock.patch('szurubooru.func.snapshots.save_entity_creation'): unittest.mock.patch('szurubooru.func.snapshots.save_entity_creation'):
posts.create_post.return_value = post posts.create_post.return_value = (post, [])
posts.serialize_post.return_value = 'serialized post' posts.serialize_post.return_value = 'serialized post'
result = api.PostListApi().post( result = api.PostListApi().post(
@ -120,7 +121,7 @@ def test_anonymous_uploads(
config_injector({ config_injector({
'privileges': {'posts:create:anonymous': db.User.RANK_REGULAR}, 'privileges': {'posts:create:anonymous': db.User.RANK_REGULAR},
}) })
posts.create_post.return_value = post posts.create_post.return_value = [post, []]
api.PostListApi().post( api.PostListApi().post(
context_factory( context_factory(
input={ input={
@ -152,7 +153,7 @@ def test_creating_from_url_saves_source(
'privileges': {'posts:create:identified': db.User.RANK_REGULAR}, 'privileges': {'posts:create:identified': db.User.RANK_REGULAR},
}) })
net.download.return_value = b'content' net.download.return_value = b'content'
posts.create_post.return_value = post posts.create_post.return_value = [post, []]
api.PostListApi().post( api.PostListApi().post(
context_factory( context_factory(
input={ input={
@ -183,7 +184,7 @@ def test_creating_from_url_with_source_specified(
'privileges': {'posts:create:identified': db.User.RANK_REGULAR}, 'privileges': {'posts:create:identified': db.User.RANK_REGULAR},
}) })
net.download.return_value = b'content' net.download.return_value = b'content'
posts.create_post.return_value = post posts.create_post.return_value = [post, []]
api.PostListApi().post( api.PostListApi().post(
context_factory( context_factory(
input={ input={
@ -222,9 +223,33 @@ def test_trying_to_omit_content(context_factory, user_factory):
}, },
user=user_factory(rank=db.User.RANK_REGULAR))) user=user_factory(rank=db.User.RANK_REGULAR)))
def test_trying_to_create_without_privileges(context_factory, user_factory): def test_trying_to_create_post_without_privileges(context_factory, user_factory):
with pytest.raises(errors.AuthError): with pytest.raises(errors.AuthError):
api.PostListApi().post( api.PostListApi().post(
context_factory( context_factory(
input='whatever', input='whatever',
user=user_factory(rank=db.User.RANK_ANONYMOUS))) user=user_factory(rank=db.User.RANK_ANONYMOUS)))
def test_trying_to_create_tags_without_privileges(
config_injector, context_factory, user_factory):
config_injector({
'privileges': {
'posts:create:anonymous': db.User.RANK_REGULAR,
'posts:create:identified': db.User.RANK_REGULAR,
'tags:create': db.User.RANK_ADMINISTRATOR,
},
})
with pytest.raises(errors.AuthError), \
unittest.mock.patch('szurubooru.func.posts.update_post_content'), \
unittest.mock.patch('szurubooru.func.posts.update_post_tags'):
posts.update_post_tags.return_value = ['new-tag']
api.PostListApi().post(
context_factory(
input={
'safety': 'safe',
'tags': ['tag1', 'tag2'],
},
files={
'content': posts.EMPTY_PIXEL,
},
user=user_factory(rank=db.User.RANK_REGULAR)))

22
server/szurubooru/tests/api/test_post_updating.py
View file

@ -141,7 +141,7 @@ def test_trying_to_update_non_existing(context_factory, user_factory):
('posts:edit:content', {'content': '...'}, {}), ('posts:edit:content', {'content': '...'}, {}),
('posts:edit:thumbnail', {'thumbnail': '...'}, {}), ('posts:edit:thumbnail', {'thumbnail': '...'}, {}),
]) ])
def test_trying_to_create_without_privileges( def test_trying_to_update_field_without_privileges(
config_injector, config_injector,
context_factory, context_factory,
post_factory, post_factory,
@ -162,3 +162,23 @@ def test_trying_to_create_without_privileges(
files=files, files=files,
user=user_factory(rank=db.User.RANK_ANONYMOUS)), user=user_factory(rank=db.User.RANK_ANONYMOUS)),
post.post_id) post.post_id)
def test_trying_to_create_tags_without_privileges(
config_injector, context_factory, post_factory, user_factory):
config_injector({
'privileges': {
'posts:edit:tags': db.User.RANK_REGULAR,
'tags:create': db.User.RANK_ADMINISTRATOR,
},
})
post = post_factory()
db.session.add(post)
db.session.flush()
with pytest.raises(errors.AuthError), \
unittest.mock.patch('szurubooru.func.posts.update_post_tags'):
posts.update_post_tags.return_value = ['new-tag']
api.PostDetailApi().put(
context_factory(
input={'tags': ['tag1', 'tag2']},
user=user_factory(rank=db.User.RANK_REGULAR)),
post.post_id)

2
server/szurubooru/tests/func/test_posts.py
View file

@ -190,7 +190,7 @@ def test_create_post(user_factory, fake_datetime):
unittest.mock.patch('szurubooru.func.posts.update_post_tags'), \ unittest.mock.patch('szurubooru.func.posts.update_post_tags'), \
fake_datetime('1997-01-01'): fake_datetime('1997-01-01'):
auth_user = user_factory() auth_user = user_factory()
post = posts.create_post('content', ['tag'], auth_user) post, new_tags = posts.create_post('content', ['tag'], auth_user)
assert post.creation_time == datetime.datetime(1997, 1, 1) assert post.creation_time == datetime.datetime(1997, 1, 1)
assert post.last_edit_time is None assert post.last_edit_time is None
posts.update_post_tags.assert_called_once_with(post, ['tag']) posts.update_post_tags.assert_called_once_with(post, ['tag'])