#8167 errors when updating blog post, if feed item doesn't exist

v1.8.0
closed
None
General
nobody
2018-02-05
2017-10-06
No

If you create a blog post with project/tool permissions such that the public cannot read it, then the "feed" item is not created (see Feed.post method).

After that if you go to delete or edit the blog post, it errors out because it tries to do update the feed item also.

File '/var/local/allura/ForgeBlog/forgeblog/main.py', line 413 in save
  self.post.commit()
File '/var/local/allura/ForgeBlog/forgeblog/model/blog.py', line 261 in commit
  feed_item.title = self.title
AttributeError: 'NoneType' object has no attribute 'title'

File '/var/local/allura/Allura/allura/lib/patches.py', line 80 in without_trailing_slash
  return func(*args, **kwargs)
File '/var/local/allura/ForgeBlog/forgeblog/main.py', line 405 in save
  self.post.delete()
File '/var/local/allura/ForgeBlog/forgeblog/model/blog.py', line 313 in delete
  self.feed_item().delete()
AttributeError: 'NoneType' object has no attribute 'delete'
File '/var/local/allura/Allura/allura/lib/patches.py', line 80 in without_trailing_slash
  return func(*args, **kwargs)
File '/var/local/allura/ForgeBlog/forgeblog/main.py', line 413 in save
  self.post.commit()
File '/var/local/allura/ForgeBlog/forgeblog/model/blog.py', line 261 in commit
  feed_item.title = self.title
AttributeError: 'NoneType' object has no attribute 'title'

Discussion

  • Dave Brondsema

    Dave Brondsema - 2017-10-06

    Would be good to make sure the feed item gets created once possible. Not sure how realistic that is though, if the project permissions are the only thing that changes. Change permission logic in Feed.post and trust that permission checks happen on the places feeds are shown?

     
    • Dave Brondsema

      Dave Brondsema - 2017-10-09

      Most usage of Feed for display is via FeedController which will be mounted on a tool, so project-level and tool-level security will be there and prevent public viewing of private things. Except for when the artifact itself is what is private (e.g. a private ticket)

      Another part is the [[neighborhood_feeds]] macro. [e3bfcbbda3aff23680cf5c25496326aafd9d9788] originally did permission checks by creating all the Feed items and then filtering them by permission. It was reverted for unknown reasons and replaced with the permission check at create-time. There is also the [[neighborhood_blog_posts]] macro which doesn't use feeds and could potentially replace [[neighborhood_feeds]] in many cases.

      To ensure private tickets and the [[neighborhood_feeds]] keep working how they are now, and for simplicity, I think we should just keep the current implementation of checking permissions at create-time.

       
  • Dave Brondsema

    Dave Brondsema - 2017-10-09
    • status: open --> review
    • assigned_to: Dave Brondsema
     
  • Dave Brondsema

    Dave Brondsema - 2017-10-09

    Fixed on db/8167

     
  • Kenton Taylor

    Kenton Taylor - 2017-10-11
    • status: review --> closed
     
  • Kenton Taylor

    Kenton Taylor - 2017-10-11

    Merged.

     
  • Dave Brondsema

    Dave Brondsema - 2018-02-05
    • Milestone: unreleased --> v1.8.0
     

Log in to post a comment.