[api] fix and test permission handling on release action for projects…

…. checking now the target, not the source
openSUSE · Mar 11, 2014 · 67a48a7 · 67a48a7
1 parent 6d33afc
commit 67a48a7
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 16 deletions.
diff --git a/src/api/app/models/project.rb b/src/api/app/models/project.rb
@@ -1143,16 +1143,16 @@ def do_project_copy( params )
   def do_project_release( params )
     User.current ||= User.find_by_login(params[:user])
 
-    check_write_access!
-
     packages.each do |pkg|
       pkg.project.repositories.each do |repo|
         next if params[:repository] and params[:repository] != repo.name
         next if params[:targetproject] and params[:targetproject] != repo.releasetarget.project
         next if params[:targetreposiory] and params[:targetreposiory] != repo.releasetarget.repository
         repo.release_targets.each do |releasetarget|
+          releasetarget.target_repository.project.check_write_access!
+
           # release source and binaries
-          release_package(pkg, releasetarget.target_repository.project.name, pkg.name, repo)
+          release_package(pkg, releasetarget.target_repository.project.name, pkg.name, repo, nil, params[:setrelease], true)
         end
       end
     end

diff --git a/src/api/test/functional/source_controller_test.rb b/src/api/test/functional/source_controller_test.rb
@@ -2021,10 +2021,9 @@ def test_linktobranch
   end
 
   def test_release_project
-    # define release target
-    login_Iggy
-    # create and define manual release target
-    put '/source/home:Iggy:RT/_meta', "<project name='home:Iggy:RT'> <title/> <description/>
+    # create manual release target
+    login_adrian
+    put '/source/home:adrian:RT/_meta', "<project name='home:adrian:RT'> <title/> <description/>
           <repository name='rt'>
             <arch>i586</arch>
             <arch>x86_64</arch>
@@ -2034,6 +2033,7 @@ def test_release_project
 
     # workaround of testsuite breakage, database object gets restored during
     # request controller run, but backend part not
+    login_Iggy
     get '/source/home:Iggy/ToBeDeletedTestPack/_meta'
     assert_response :success
     put '/source/home:Iggy/ToBeDeletedTestPack/_meta', @response.body
@@ -2047,29 +2047,30 @@ def test_release_project
     orig_project_meta = @response.body
     doc = REXML::Document.new(@response.body)
     rt = doc.elements["/project/repository'"].add_element 'releasetarget'
-    rt.add_attribute REXML::Attribute.new('project', 'home:Iggy:RT')
+    rt.add_attribute REXML::Attribute.new('project', 'home:adrian:RT')
     rt.add_attribute REXML::Attribute.new('repository', 'rt')
     put '/source/home:Iggy/_meta', doc.to_s
     assert_response :success
 
     # try to release with incorrect trigger
+    login_adrian
     post '/source/home:Iggy?cmd=release', nil
     assert_response 403 # cmd_no_permissions
     assert_match(/Trigger is not set to manual in repository home:Iggy\/10.2/, @response.body)
 
     # add correct trigger
+    login_Iggy
     rt.add_attribute REXML::Attribute.new('trigger', 'manual')
     put '/source/home:Iggy/_meta', doc.to_s
     assert_response :success
 
     # this user is not allowed
-    login_adrian
     post '/source/home:Iggy?cmd=release', nil
     assert_response 403
     assert_xml_tag :tag => 'status', :attributes => { :code => 'cmd_execution_no_permission' }
 
     # release for real
-    login_Iggy
+    login_adrian
     post '/source/home:Iggy?cmd=release', nil
     assert_response :success
     assert_xml_tag :tag => 'status', :attributes => { :code => 'invoked' }
@@ -2083,7 +2084,7 @@ def test_release_project
     run_scheduler('i586')
 
     # verify result
-    get '/source/home:Iggy:RT'
+    get '/source/home:adrian:RT'
     assert_response :success
     assert_xml_tag :tag => 'entry', :attributes => { :name => 'TestPack' }
 
@@ -2092,15 +2093,16 @@ def test_release_project
     assert_response :success
     assert_xml_tag :tag => 'binarylist', :children => { :count => 4 }
 
-    get '/build/home:Iggy:RT/rt/i586/TestPack/'
+    get '/build/home:adrian:RT/rt/i586/TestPack/'
     assert_response :success
     assert_xml_tag :tag => 'binarylist', :children => { :count => 4 }
 
     # cleanup
     login_Iggy
     put '/source/home:Iggy/_meta', orig_project_meta
     assert_response :success
-    delete '/source/home:Iggy:RT'
+    login_adrian
+    delete '/source/home:adrian:RT'
     assert_response :success
   end
 
@@ -2109,7 +2111,7 @@ def test_release_package
     login_king
 
     login_adrian
-    # create and define manual release target
+    # define manual release target
     put '/source/home:adrian:RT/_meta', "<project name='home:adrian:RT'> <title/> <description/>
           <repository name='rt'>
             <arch>i586</arch>
@@ -2150,8 +2152,6 @@ def test_release_package
     assert_xml_tag :tag => 'status', :attributes => { :code => 'cmd_execution_no_permission' }
     assert_match(/no permission to write in project home:adrian:RT/, @response.body)
 
-
-
     # release for real
     login_adrian
     post '/source/home:Iggy/TestPack?cmd=release', nil