#2998 Notifications need to do permission checks against subscribers

v1.0.0
closed
General
nobody
2015-08-20
2011-10-13
No

When a notification goes out, we need to do a standard 'read' permission check on the artifact. For example, a non-developer could be subscribed to some ticket tool and shouldn't get private ticket notifications. Also an admin could change the permissions of the tool and then the subscriber shouldn't get any more notifications. You can test this by making a user an admin, so they get subscribed, then removing them from admin, then creating a private ticket.

This is needed for migration since we convert sfx project monitoring into notification subscriptions for all tools

Discussion

  • Dave Brondsema

    Dave Brondsema - 2011-10-13
    • Description has changed:

    Diff:

    --- old 
    +++ new 
    @@ -1,4 +1,4 @@
    -When a notification goes out, we need to do a standard 'read' permission check on the artifact.  For example, a non-developer could be subscribed to some ticket tool and shouldn't get private ticket notifications.  Also an admin could change the permissions of the tool and then the subscriber shouldn't get any more notifications.
    +When a notification goes out, we need to do a standard 'read' permission check on the artifact.  For example, a non-developer could be subscribed to some ticket tool and shouldn't get private ticket notifications.  Also an admin could change the permissions of the tool and then the subscriber shouldn't get any more notifications.  You can test this by making a user an admin, so they get subscribed, then removing them from admin, then creating a private ticket.
    
     **This is needed for migration since we convert sfx project monitoring into notification subscriptions for all tools**
    
     
  • Dave Brondsema

    Dave Brondsema - 2011-10-14
    • size: --> 2
     
    • status: open --> in-progress
    • assigned_to: Tim Van Steenburgh
     
    • status: in-progress --> code-review
    • assigned_to: Tim Van Steenburgh --> Dave Brondsema
     
  • forge:tv/2998

    On sandbox, make user01 an admin on a project. Then create a private ticket. User01 will get an email. Now remove user01 from admin. Update the ticket. User01 will not get an email.

    Also added new automated test.

    (env-allura)root@h6v6024:/var/local/allura/Allura(tv/2998)$ nosetests allura.tests.model.test_notification
    ...........
    ----------------------------------------------------------------------
    Ran 11 tests in 49.405s
    
    OK
    
     
  • Dave Brondsema

    Dave Brondsema - 2011-10-19
    • status: code-review --> closed
     

Log in to post a comment.