← Back to team overview

launchpad-reviewers team mailing list archive

  1. launchpad-reviewers team
  2. Mailing list archive
  3. Message #29777

[Merge] ~lgp171188/launchpad:restrict-project-announcement-forms-to-legitimate-users into launchpad:master

  Thread PreviousDate PreviousThread Next 
Guruprasad has proposed merging ~lgp171188/launchpad:restrict-project-announcement-forms-to-legitimate-users into launchpad:master.

Commit message:
Restrict the 'Add announcement' form access to legitimate pillar owners

Also hide the 'Make announcement' link on the pillar's
'News and announcements' page.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~lgp171188/launchpad/+git/launchpad/+merge/439224
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of ~lgp171188/launchpad:restrict-project-announcement-forms-to-legitimate-users into launchpad:master.

diff --git a/lib/lp/registry/browser/announcement.py b/lib/lp/registry/browser/announcement.py
index 870e36c..0fdf84c 100644
--- a/lib/lp/registry/browser/announcement.py
+++ b/lib/lp/registry/browser/announcement.py
@@ -18,6 +18,7 @@ __all__ = [
 
 from zope.interface import Interface, implementer
 from zope.schema import Choice, TextLine
+from zope.security.interfaces import Unauthorized
 
 from lp import _
 from lp.app.browser.launchpadform import LaunchpadFormView, action
@@ -83,7 +84,10 @@ class AnnouncementMenuMixin:
     def announce(self):
         text = "Make announcement"
         summary = "Create an item of news for this project"
-        return Link("+announce", text, summary, icon="add")
+        link = Link("+announce", text, summary, icon="add")
+        if not current_user_can_announce(self.context):
+            link.enabled = False
+        return link
 
 
 class AnnouncementEditNavigationMenu(NavigationMenu, AnnouncementMenuMixin):
@@ -145,6 +149,11 @@ class AnnouncementAddView(LaunchpadFormView):
 
     custom_widget_publication_date = AnnouncementDateWidget
 
+    def initialize(self):
+        if not check_permission("launchpad.AnyLegitimatePerson", self.context):
+            raise Unauthorized
+        super().initialize()
+
     @action(_("Make announcement"), name="announce")
     def announce_action(self, action, data):
         """Registers a new announcement."""
diff --git a/lib/lp/registry/stories/announcements/xx-announcements.rst b/lib/lp/registry/stories/announcements/xx-announcements.rst
index dd9de2f..9161479 100644
--- a/lib/lp/registry/stories/announcements/xx-announcements.rst
+++ b/lib/lp/registry/stories/announcements/xx-announcements.rst
@@ -116,25 +116,69 @@ account with sufficient karma (config.launchpad.min_legitimate_karma).
     Traceback (most recent call last):
     ...
     zope.testbrowser.browser.LinkNotFoundError
+    >>> new_user_browser.open(
+    ...     "http://launchpad.test/new-product/+announcements";
+    ... )
+    >>> new_user_browser.getLink("Make announcement")
+    Traceback (most recent call last):
+    ...
+    zope.testbrowser.browser.LinkNotFoundError
 
     >>> new_user_browser.open("http://launchpad.test/new-distribution";)
     >>> new_user_browser.getLink("Make announcement")
     Traceback (most recent call last):
     ...
     zope.testbrowser.browser.LinkNotFoundError
+    >>> new_user_browser.open(
+    ...     "http://launchpad.test/new-distribution/+announcements";
+    ... )
+    >>> new_user_browser.getLink("Make announcement")
+    Traceback (most recent call last):
+    ...
+    zope.testbrowser.browser.LinkNotFoundError
 
     >>> new_user_browser.open("http://launchpad.test/new-project";)
     >>> new_user_browser.getLink("Make announcement")
     Traceback (most recent call last):
     ...
     zope.testbrowser.browser.LinkNotFoundError
-    >>> _ = config.pop("legitimate person")
+    >>> new_user_browser.open(
+    ...     "http://launchpad.test/new-project/+announcements";
+    ... )
+    >>> new_user_browser.getLink("Make announcement")
+    Traceback (most recent call last):
+    ...
+    zope.testbrowser.browser.LinkNotFoundError
+
+Only the users who can view the 'Make announcement' link can access the
+'Add announcement' form.
+
+    >>> new_user_browser.open("http://launchpad.test/new-product/+announce";)
+    Traceback (most recent call last):
+    ...
+    zope.security.interfaces.Unauthorized
+
+    >>> new_user_browser.open("http://launchpad.test/new-project/+announce";)
+    Traceback (most recent call last):
+    ...
+    zope.security.interfaces.Unauthorized
+
+    >>> new_user_browser.open(
+    ...     "http://launchpad.test/new-distribution/+announce";
+    ... )
+    Traceback (most recent call last):
+    ...
+    zope.security.interfaces.Unauthorized
 
     >>> priv_browser = setupBrowser(auth="Basic mark@xxxxxxxxxxx:test")
     >>> priv_browser.open("http://launchpad.test/ubuntu";)
     >>> link = priv_browser.getLink("Make announcement")
     >>> print(link.text)
     Make announcement
+    >>> link.click()
+    >>> print(priv_browser.url)
+    http://launchpad.test/ubuntu/+announce
+    >>> priv_browser.goBack()
 
     >>> priv_browser.getLink("Read all announcements").click()
     >>> link = priv_browser.getLink("Make announcement")
@@ -150,7 +194,11 @@ account with sufficient karma (config.launchpad.min_legitimate_karma).
     >>> link = priv_browser.getLink("Make announcement")
     >>> print(link.text)
     Make announcement
+    >>> link.click()
+    >>> print(priv_browser.url)
+    http://launchpad.test/firefox/+announce
 
+    >>> _ = config.pop("legitimate person")
 
 Following the action link takes you to a form where you can make the
 announcement:
  Thread PreviousDate PreviousThread Next