[#6460] Fixed security checks sometimes using incorrect roles

When doing a has_access() check for a given user against a given
artifact without explicitly specifying the project, c.project was being
used to get the list of user's roles instead of the artifact's project
attribute. If c.project was not the project to which the artifact
belonged, the the wrong set of role_ids were being used, resulting in
access being denied. It's a bit nonsensical to use an unrelated
project's role_ids to check access to an artifact, and this was breaking
notifications, which fire all pending notifications, regardless of the
context under which fire_ready() was called.

Signed-off-by: Cory Johns cjohns@slashdotmedia.com

Cory Johns Cory Johns 2013-07-29

Tim Van Steenburgh Tim Van Steenburgh 2013-07-31

changed Allura/allura/lib/security.py
changed Allura/allura/model/notification.py
changed Allura/allura/tests/model/test_notification.py
changed Allura/allura/tests/test_security.py
Allura/allura/lib/security.py Diff Switch to side-by-side view
Loading...
Allura/allura/model/notification.py Diff Switch to side-by-side view
Loading...
Allura/allura/tests/model/test_notification.py Diff Switch to side-by-side view
Loading...
Allura/allura/tests/test_security.py Diff Switch to side-by-side view
Loading...