Revert "Limit visibility of unapproved packages to maintainers and approvers" and "Fix 404 on packages when not logged in"

This reverts commit 85a178d90e7ea654f456716a203388a1035048a4.
This reverts commit 727db52c19b6775972f9b5c073b26ce3c9e543bd.
This commit is contained in:
rubenwardy 2022-02-01 14:53:51 +00:00
parent afdf06b3f6
commit f8e82b63e3
6 changed files with 8 additions and 34 deletions

@ -115,9 +115,6 @@ def getReleases(package):
@bp.route("/packages/<author>/<name>/") @bp.route("/packages/<author>/<name>/")
@is_package_page @is_package_page
def view(package): def view(package):
if not package.checkPerm(current_user, Permission.SEE_PACKAGE):
abort(404)
show_similar = not package.approved and ( show_similar = not package.approved and (
current_user in package.maintainers or current_user in package.maintainers or
package.checkPerm(current_user, Permission.APPROVE_NEW)) package.checkPerm(current_user, Permission.APPROVE_NEW))
@ -208,9 +205,6 @@ def shield(package, type):
@bp.route("/packages/<author>/<name>/download/") @bp.route("/packages/<author>/<name>/download/")
@is_package_page @is_package_page
def download(package): def download(package):
if not package.checkPerm(current_user, Permission.SEE_PACKAGE):
abort(404)
release = package.getDownloadRelease() release = package.getDownloadRelease()
if release is None: if release is None:
@ -593,9 +587,6 @@ def alias_create_edit(package: Package, alias_id: int = None):
@login_required @login_required
@is_package_page @is_package_page
def share(package): def share(package):
if not package.checkPerm(current_user, Permission.SEE_PACKAGE):
abort(404)
return render_template("packages/share.html", package=package, return render_template("packages/share.html", package=package,
tabs=get_package_tabs(current_user, package), current_tab="share") tabs=get_package_tabs(current_user, package), current_tab="share")
@ -603,9 +594,6 @@ def share(package):
@bp.route("/packages/<author>/<name>/similar/") @bp.route("/packages/<author>/<name>/similar/")
@is_package_page @is_package_page
def similar(package): def similar(package):
if not package.checkPerm(current_user, Permission.SEE_PACKAGE):
abort(404)
packages_modnames = {} packages_modnames = {}
for metapackage in package.provides: for metapackage in package.provides:
packages_modnames[metapackage] = Package.query.filter(Package.id != package.id, packages_modnames[metapackage] = Package.query.filter(Package.id != package.id,

@ -33,9 +33,6 @@ from . import bp, get_package_tabs
@bp.route("/packages/<author>/<name>/releases/", methods=["GET", "POST"]) @bp.route("/packages/<author>/<name>/releases/", methods=["GET", "POST"])
@is_package_page @is_package_page
def list_releases(package): def list_releases(package):
if not package.checkPerm(current_user, Permission.SEE_PACKAGE):
abort(404)
return render_template("packages/releases_list.html", return render_template("packages/releases_list.html",
package=package, package=package,
tabs=get_package_tabs(current_user, package), current_tab="releases") tabs=get_package_tabs(current_user, package), current_tab="releases")
@ -111,9 +108,6 @@ def create_release(package):
@bp.route("/packages/<author>/<name>/releases/<id>/download/") @bp.route("/packages/<author>/<name>/releases/<id>/download/")
@is_package_page @is_package_page
def download_release(package, id): def download_release(package, id):
if not package.checkPerm(current_user, Permission.SEE_PACKAGE):
abort(404)
release = PackageRelease.query.get(id) release = PackageRelease.query.get(id)
if release is None or release.package != package: if release is None or release.package != package:
abort(404) abort(404)

@ -24,8 +24,7 @@ from flask_login import current_user, login_required
from flask_wtf import FlaskForm from flask_wtf import FlaskForm
from wtforms import * from wtforms import *
from wtforms.validators import * from wtforms.validators import *
from app.models import db, PackageReview, Thread, ThreadReply, NotificationType, PackageReviewVote, Package, UserRank, \ from app.models import db, PackageReview, Thread, ThreadReply, NotificationType, PackageReviewVote, Package, UserRank
Permission
from app.utils import is_package_page, addNotification, get_int_or_abort, isYes, is_safe_url, rank_required from app.utils import is_package_page, addNotification, get_int_or_abort, isYes, is_safe_url, rank_required
from app.tasks.webhooktasks import post_discord_webhook from app.tasks.webhooktasks import post_discord_webhook
@ -54,9 +53,6 @@ def review(package):
flash(gettext("You can't review your own package!"), "danger") flash(gettext("You can't review your own package!"), "danger")
return redirect(package.getURL("packages.view")) return redirect(package.getURL("packages.view"))
if not package.checkPerm(current_user, Permission.SEE_PACKAGE):
abort(404)
review = PackageReview.query.filter_by(package=package, author=current_user).first() review = PackageReview.query.filter_by(package=package, author=current_user).first()
form = ReviewForm(formdata=request.form, obj=review) form = ReviewForm(formdata=request.form, obj=review)

@ -599,7 +599,7 @@ class Package(db.Model):
def checkPerm(self, user, perm): def checkPerm(self, user, perm):
if not user.is_authenticated: if not user.is_authenticated:
return perm == Permission.SEE_PACKAGE and self.state == PackageState.APPROVED return False
if type(perm) == str: if type(perm) == str:
perm = Permission[perm] perm = Permission[perm]
@ -610,10 +610,7 @@ class Package(db.Model):
isMaintainer = isOwner or user.rank.atLeast(UserRank.EDITOR) or user in self.maintainers isMaintainer = isOwner or user.rank.atLeast(UserRank.EDITOR) or user in self.maintainers
isApprover = user.rank.atLeast(UserRank.APPROVER) isApprover = user.rank.atLeast(UserRank.APPROVER)
if perm == Permission.SEE_PACKAGE: if perm == Permission.CREATE_THREAD:
return self.state == PackageState.APPROVED or isMaintainer or isApprover
elif perm == Permission.CREATE_THREAD:
return user.rank.atLeast(UserRank.MEMBER) return user.rank.atLeast(UserRank.MEMBER)
# Members can edit their own packages, and editors can edit any packages # Members can edit their own packages, and editors can edit any packages

@ -59,7 +59,6 @@ class UserRank(enum.Enum):
class Permission(enum.Enum): class Permission(enum.Enum):
SEE_PACKAGE = "SEE_PACKAGE"
EDIT_PACKAGE = "EDIT_PACKAGE" EDIT_PACKAGE = "EDIT_PACKAGE"
DELETE_PACKAGE = "DELETE_PACKAGE" DELETE_PACKAGE = "DELETE_PACKAGE"
CHANGE_AUTHOR = "CHANGE_AUTHOR" CHANGE_AUTHOR = "CHANGE_AUTHOR"

@ -18,8 +18,7 @@
from functools import wraps from functools import wraps
from flask import abort, redirect, url_for, request from flask import abort, redirect, url_for, request
from flask_login import current_user from flask_login import current_user
from app.models import User, NotificationType, Package, UserRank, Notification, db, AuditSeverity, AuditLogEntry, \ from app.models import User, NotificationType, Package, UserRank, Notification, db, AuditSeverity, AuditLogEntry, ThreadReply, Thread, PackageState, PackageType, PackageAlias
ThreadReply, Thread, PackageState, PackageType, PackageAlias
def getPackageByInfo(author, name): def getPackageByInfo(author, name):
@ -40,15 +39,14 @@ def is_package_page(f):
if not ("author" in kwargs and "name" in kwargs): if not ("author" in kwargs and "name" in kwargs):
abort(400) abort(400)
author = kwargs.pop("author") author = kwargs["author"]
name = kwargs.pop("name") name = kwargs["name"]
package = getPackageByInfo(author, name) package = getPackageByInfo(author, name)
if package is None: if package is None:
package = getPackageByInfo(author, name + "_game") package = getPackageByInfo(author, name + "_game")
if package and package.type == PackageType.GAME: if package and package.type == PackageType.GAME:
args = dict(kwargs) args = dict(kwargs)
args["author"] = author
args["name"] = name + "_game" args["name"] = name + "_game"
return redirect(url_for(request.endpoint, **args)) return redirect(url_for(request.endpoint, **args))
@ -61,6 +59,8 @@ def is_package_page(f):
abort(404) abort(404)
del kwargs["author"]
del kwargs["name"]
return f(package=package, *args, **kwargs) return f(package=package, *args, **kwargs)
return decorated_function return decorated_function