If you create a blog post with project/tool permissions such that the public cannot read it, then the "feed" item is not created (see Feed.post
method).
After that if you go to delete or edit the blog post, it errors out because it tries to do update the feed item also.
File '/var/local/allura/ForgeBlog/forgeblog/main.py', line 413 in save self.post.commit() File '/var/local/allura/ForgeBlog/forgeblog/model/blog.py', line 261 in commit feed_item.title = self.title AttributeError: 'NoneType' object has no attribute 'title' File '/var/local/allura/Allura/allura/lib/patches.py', line 80 in without_trailing_slash return func(*args, **kwargs) File '/var/local/allura/ForgeBlog/forgeblog/main.py', line 405 in save self.post.delete() File '/var/local/allura/ForgeBlog/forgeblog/model/blog.py', line 313 in delete self.feed_item().delete() AttributeError: 'NoneType' object has no attribute 'delete'
File '/var/local/allura/Allura/allura/lib/patches.py', line 80 in without_trailing_slash return func(*args, **kwargs) File '/var/local/allura/ForgeBlog/forgeblog/main.py', line 413 in save self.post.commit() File '/var/local/allura/ForgeBlog/forgeblog/model/blog.py', line 261 in commit feed_item.title = self.title AttributeError: 'NoneType' object has no attribute 'title'
Would be good to make sure the feed item gets created once possible. Not sure how realistic that is though, if the project permissions are the only thing that changes. Change permission logic in
Feed.post
and trust that permission checks happen on the places feeds are shown?Most usage of
Feed
for display is viaFeedController
which will be mounted on a tool, so project-level and tool-level security will be there and prevent public viewing of private things. Except for when the artifact itself is what is private (e.g. a private ticket)Another part is the
[[neighborhood_feeds]]
macro. [e3bfcbbda3aff23680cf5c25496326aafd9d9788] originally did permission checks by creating all the Feed items and then filtering them by permission. It was reverted for unknown reasons and replaced with the permission check at create-time. There is also the[[neighborhood_blog_posts]]
macro which doesn't use feeds and could potentially replace[[neighborhood_feeds]]
in many cases.To ensure private tickets and the
[[neighborhood_feeds]]
keep working how they are now, and for simplicity, I think we should just keep the current implementation of checking permissions at create-time.Fixed on db/8167
Merged.