Skip to content

Commit

Permalink
[api][webui] Check access to source package
Browse files Browse the repository at this point in the history
to make sure user can write to it.

https://bugzilla.suse.com/show_bug.cgi?id=1094819

Signed-off-by: Christian Bruckmayer <cbruckmayer@suse.com>
Co-authored-by: Christian Bruckmayer <cbruckmayer@suse.com>
  • Loading branch information
marcus-h and ChrisBr committed May 30, 2018
1 parent b15cf19 commit 990ef7c
Show file tree
Hide file tree
Showing 2 changed files with 49 additions and 0 deletions.
20 changes: 20 additions & 0 deletions src/api/app/models/bs_request_action_submit.rb
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,26 @@ def execute_accept(opts)
Project.find_by_name!(self.target_project).update_product_autopackages
end

def check_action_permission!(skip_source = nil)
super(skip_source)
# only perform the following check, if we are called from
# BsRequest.permission_check_change_state! (that is, if
# skip_source is set to true). Always executing this check
# would be a regression, because this code is also executed
# if a new request is created (which could fail if User.current
# cannot modify the source_package).
return unless skip_source
target_project = Project.get_by_name(self.target_project)
return unless target_project && target_project.is_a?(Project)
target_package = target_project.packages.find_by_name(self.target_package)
initialize_devel_package = target_project.find_attribute('OBS', 'InitializeDevelPackage')
return if target_package || !initialize_devel_package
source_package = Package.get_by_project_and_name(source_project, self.source_package)
return if !source_package || User.current.can_modify_package?(source_package)
msg = 'No permission to initialize the source package as a devel package'
raise PostRequestNoPermission, msg
end

#### Alias of methods
end

Expand Down
29 changes: 29 additions & 0 deletions src/api/test/functional/request_controller_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -2038,6 +2038,18 @@ def test_all_action_types
assert_no_xml_tag(tag: 'person', attributes: { userid: 'Iggy', role: 'maintainer' })
assert_no_xml_tag(tag: 'group', attributes: { groupid: 'test_group', role: 'reader' })

# Accept will fail because Fred does not have permissions on the source package
# which is required because of the InitializeDevelPackage attribute on kde4
login_fred
post "/request/#{id}?cmd=changestate&newstate=accepted"
assert_response 403
assert_match(/No permission to initialize the source package as a devel package/, @response.body)

# We need to set permissions on the source because of the InitializeDevelPackage attribute on kde4 project
login_king
put '/source/home:Iggy:branches:kde4/_meta', params: "<project name='home:Iggy:branches:kde4'><title/><description/><person userid='fred' role='maintainer'/></project>"
assert_response :success

# Successful accept the request
login_fred
post "/request/#{id}?cmd=changestate&newstate=accepted"
Expand Down Expand Up @@ -2142,6 +2154,21 @@ def test_submit_with_review
assert_xml_tag(tag: 'state', attributes: { name: 'review' },
parent: { tag: 'request' }) # switch to new after last review

# Accept will fail because adrian does not have permissions on the source
# which is required because of the InitializeDevelPackage attribute on kde4
post "/request/#{id}?cmd=changestate&newstate=accepted&force=1"
assert_response 403
assert_match(/No permission to initialize the source package as a devel package/, @response.body)

# Adding adrian as maintainoer of the source
login_Iggy
get '/source/home:Iggy/_meta'
iggy_meta = @response.body
put '/source/home:Iggy/_meta', params: "<project name='home:Iggy'><title/><description/><person userid='adrian' role='maintainer'/></project>"

assert_response :success

login_adrian
# approve accepted and check initialized devel package
post "/request/#{id}?cmd=changestate&newstate=accepted&force=1"
assert_response :success
Expand All @@ -2155,6 +2182,8 @@ def test_submit_with_review
assert_response :success
delete '/source/kde4/Testing'
assert_response :success
login_Iggy
put '/source/home:Iggy/_meta', params: iggy_meta
end

def test_reviewer_added_when_source_maintainer_is_missing
Expand Down

0 comments on commit 990ef7c

Please sign in to comment.