Custom Query (1173 matches)

Filters
 
Or
 
  
 
Columns

Show under each result:

Results (193 - 195 of 1173)

55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75
Ticket Resolution Summary Owner Reporter
#5358 duplicate Tests failing in current master Christopher Allan Webber
Description

A number of tests are failing in current git master.

I'm going to try to investigate as soon as I can.

#5357 fixed ASCII typo on tour anongoblin
Description

http://mediagoblin.org/pages/tour.html

ACSII -> ASCII

#5356 fixed Can't GET another user's outbox ayleph
Description

When a pump client tries to GET the outbox of another user, the API always returns the outbox of the requesting user. The below patch addresses this issue. 

From c5f40d03a2ae6dd5f5c8ea67e441d4711e052c35 Mon Sep 17 00:00:00 2001
From: ayleph <ayleph@thisshitistemp.com>
Date: Sat, 31 Oct 2015 04:18:44 -0400
Subject: [PATCH 2/2] Allow API client to GET another user's outbox

---
 mediagoblin/api/views.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mediagoblin/api/views.py b/mediagoblin/api/views.py
index 671c3b3..dcd04cd 100644
--- a/mediagoblin/api/views.py
+++ b/mediagoblin/api/views.py
@@ -565,9 +565,9 @@ def feed_endpoint(request, outbox=None):
 
     # Create outbox
     if outbox is None:
-        outbox = Activity.query.filter_by(actor=request.user.id)
+        outbox = Activity.query.filter_by(actor=requested_user.id)
     else:
-        outbox = outbox.filter_by(actor=request.user.id)
+        outbox = outbox.filter_by(actor=requested_user.id)
 
     # We want the newest things at the top (issue: #1055)
     outbox = outbox.order_by(Activity.published.desc())
-- 
2.6.2

I think this change is safe to make because:

  • There is already code to check that the requesting user and the requested user match for PUT/POST requests. 
421                 # Check that the person trying to update the comment is
422                 # the author of the comment.
423                 if image.actor != request.user.id:
424                     return json_error(
425                         "Only uploader of image is able to update image.",
426                         status=403
427                     )
  • There is code which throws an error if a request other than PUT, POST, or GET is made. 
548     elif request.method != "GET":
549         return json_error(
550             "Unsupported HTTP method {0}".format(request.method),
551             status=501
552

So theoretically only a GET request should be able to pass through with the requested user not the same as the requesting user.

55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75
Batch Modify
Note: See TracBatchModify for help on using batch modify.
Note: See TracQuery for help on using queries.