Launchpad itself

Merge lp:~cjwatson/launchpad/limit-faq-editing into lp:launchpad

limit-faq-editing
Merge into devel

Proposed by Colin Watson on 2016-08-23

Status:	Merged
Merged at revision:	18179
Proposed branch:	lp:~cjwatson/launchpad/limit-faq-editing
Merge into:	lp:launchpad
Diff against target:	88 lines (+15/-16) 4 files modified lib/lp/answers/stories/faq-edit.txt (+2/-3) lib/lp/answers/stories/question-edit.txt (+2/-2) lib/lp/answers/tests/test_faq.py (+7/-8) lib/lp/security.py (+4/-3)
To merge this branch:	bzr merge lp:~cjwatson/launchpad/limit-faq-editing
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
Maximiliano Bertacchini (community)		Approve on 2016-08-23
Launchpad code reviewers	2016-08-23	Pending
Review via email: mp+303658@code.launchpad.net

Commit message

Prevent answer contacts from editing FAQs.

Description of the change

Prevent answer contacts from editing FAQs.

Revision history for this message

Maximiliano Bertacchini (maxiberta) wrote on 2016-08-23:

Looks good to me. Thanks

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Barki Mustapha

Celso Providelo

Christian Reis

Christy Awad

Colin Watson

Harpianto,ANDI

James Troup

John A Meinel

Kevin bush

Launchpad code reviewers

Launchpad code reviewers from Canonical

Matthew Tanner

Maximiliano Bertacchini

Oguz Ersoz

Simon Brakhane

Ubuntu-BR DevOps

William Grant

alhawiti

api.ng

pedro cavazos

todaioan

wenjingwen

to status/vote changes:

Tzaddi

Tzaddi Belding

1	=== modified file 'lib/lp/answers/stories/faq-edit.txt'
2	--- lib/lp/answers/stories/faq-edit.txt 2016-01-26 15:47:37 +0000
3	+++ lib/lp/answers/stories/faq-edit.txt 2016-08-23 08:24:12 +0000
4	@@ -4,9 +4,8 @@
5	FAQ. To do this, the user goes to the FAQ that they want to modify and
6	clicks the 'Edit FAQ' action.
7
8	-That action is only available to project owners and answer contacts.
9	-That's why the link doesn't appear for the anonymous user nor
10	-No Privileges Person:
11	+That action is only available to project owners. That's why the link doesn't
12	+appear for the anonymous user nor No Privileges Person:
13
14	>>> from lp.services.helpers import backslashreplace
15	>>> anon_browser.open('http://answers.launchpad.dev/firefox/+faq/7')
16
17	=== modified file 'lib/lp/answers/stories/question-edit.txt'
18	--- lib/lp/answers/stories/question-edit.txt 2015-12-01 05:26:11 +0000
19	+++ lib/lp/answers/stories/question-edit.txt 2016-08-23 08:24:12 +0000
20	@@ -2,8 +2,8 @@
21
22	To edit the title and description of question, one uses the 'Edit
23	Question' menu item. You need to be logged in to see the edit form, and
24	-only the question creator or an answer contact can change the title and
25	-description.
26	+only the question creator or an owner of the question target can change the
27	+title and description.
28
29	>>> anon_browser.open('http://launchpad.dev/firefox/+question/2')
30	>>> anon_browser.getLink('Edit question').click()
31
32	=== modified file 'lib/lp/answers/tests/test_faq.py'
33	--- lib/lp/answers/tests/test_faq.py 2015-03-16 00:04:39 +0000
34	+++ lib/lp/answers/tests/test_faq.py 2016-08-23 08:24:12 +0000
35	@@ -56,16 +56,16 @@
36	login_person(self.owner)
37	self.assertCanEdit(self.owner, self.faq)
38
39	- def test_direct_answer_contact_can_edit(self):
40	- # A direct answer contact for an FAQ target can edit its FAQs.
41	+ def test_direct_answer_contact_cannot_edit(self):
42	+ # A direct answer contact for an FAQ target cannot edit its FAQs.
43	direct_answer_contact = self.factory.makePerson()
44	login_person(direct_answer_contact)
45	self.addAnswerContact(direct_answer_contact)
46	- self.assertCanEdit(direct_answer_contact, self.faq)
47	+ self.assertCannotEdit(direct_answer_contact, self.faq)
48
49	- def test_indirect_answer_contact_can_edit(self):
50	+ def test_indirect_answer_contact_cannot_edit(self):
51	# A indirect answer contact (a member of a team that is an answer
52	- # contact) for an FAQ target can edit its FAQs.
53	+ # contact) for an FAQ target cannot edit its FAQs.
54	indirect_answer_contact = self.factory.makePerson()
55	direct_answer_contact = self.factory.makeTeam()
56	with person_logged_in(direct_answer_contact.teamowner):
57	@@ -73,11 +73,10 @@
58	indirect_answer_contact, direct_answer_contact.teamowner)
59	self.addAnswerContact(direct_answer_contact)
60	login_person(indirect_answer_contact)
61	- self.assertCanEdit(indirect_answer_contact, self.faq)
62	+ self.assertCannotEdit(indirect_answer_contact, self.faq)
63
64	def test_nonparticipating_user_cannot_edit(self):
65	- # A user that is neither an owner of, or answer contact for, an
66	- # FAQ target's cannot edit a its FAQs.
67	+ # A user that is not an owner of an FAQ target cannot edit its FAQs.
68	nonparticipant = self.factory.makePerson()
69	login_person(nonparticipant)
70	self.assertCannotEdit(nonparticipant, self.faq)
71
72	=== modified file 'lib/lp/security.py'
73	--- lib/lp/security.py 2016-08-23 03:49:28 +0000
74	+++ lib/lp/security.py 2016-08-23 08:24:12 +0000
75	@@ -2093,9 +2093,10 @@
76	usedfor = IFAQ
77
78	def checkAuthenticated(self, user):
79	- """Everybody who has launchpad.Append on the FAQ target is allowed.
80	- """
81	- return AppendFAQTarget(self.obj.target).checkAuthenticated(user)
82	+ """Allow only admins and owners of the FAQ target."""
83	+ return (
84	+ user.in_admin or user.in_registry_experts or
85	+ user.inTeam(self.obj.target.owner))
86
87
88	class DeleteFAQ(AuthorizationBase):