Don't allow unconfirmed users to trigger tokens through webui

Fixes #13261
openSUSE · Oct 24, 2022 · 0b6098e · 0b6098e
1 parent e77d1d2
commit 0b6098e
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/src/api/app/policies/token_policy.rb b/src/api/app/policies/token_policy.rb
@@ -44,6 +44,8 @@ def destroy?
   end
 
   def webui_trigger?
+    return false unless user.is_active?
+
     record.executor == user && !record.type.in?(['Token::Workflow', 'Token::Rss'])
   end
 

diff --git a/src/api/spec/policies/token_policy_spec.rb b/src/api/spec/policies/token_policy_spec.rb
@@ -5,6 +5,8 @@
   let(:user_token) { create(:rebuild_token, executor: token_user) }
   let(:group) { create(:group_with_user) }
   let(:other_user) { group.users.first }
+  let(:unconfirmed_user) { create(:user, state: 'unconfirmed') }
+  let(:token_of_unconfirmed_user) { create(:rebuild_token, executor: unconfirmed_user) }
 
   let(:workflow_token) { create(:workflow_token, executor: token_user) }
   let(:rss_token) { create(:rss_token, executor: token_user) }
@@ -24,6 +26,7 @@
 
   permissions :webui_trigger? do
     it { is_expected.not_to permit(token_user, workflow_token) }
+    it { is_expected.not_to permit(unconfirmed_user, token_of_unconfirmed_user) }
   end
 
   describe TokenPolicy::Scope do