Merge pull request #3269 from bgeuken/fix_2_8_issue

fix operating on wrong package build container for wipe, rebuild, abort
openSUSE · Jun 22, 2017 · b43efe6 · b43efe6
2 parents bb801d2 + c781251
commit b43efe6
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 7 deletions.
diff --git a/src/api/app/models/package.rb b/src/api/app/models/package.rb
@@ -1386,25 +1386,28 @@ def api_obj
     self
   end
 
+  #### WARNING: these operations run in build object, not this package object
   def rebuild(params)
-    backend_build_command(:rebuild, params.slice(:package, :arch, :repository))
+    backend_build_command(:rebuild, params[:project], params.slice(:package, :arch, :repository))
   end
 
   def wipe_binaries(params)
-    backend_build_command(:wipe, params.slice(:package, :arch, :repository))
+    backend_build_command(:wipe, params[:project], params.slice(:package, :arch, :repository))
   end
 
   def abort_build(params)
-    backend_build_command(:abortbuild, params.slice(:package, :arch, :repository))
+    backend_build_command(:abortbuild, params[:project], params.slice(:package, :arch, :repository))
   end
 
-  def backend_build_command(command, params)
+  def backend_build_command(command, build_project, params)
     begin
+      Project.find_by(name: build_project).check_write_access!
       # Note: This list needs to keep in sync with the backend code
       permitted_params = params.permit(:repository, :arch, :package, :code, :wipe)
 
-      Backend::Connection.post("/build/#{URI.escape(project.name)}?cmd=#{command}&#{permitted_params.to_h.to_query}")
-    rescue ActiveXML::Transport::Error, Timeout::Error => e
+      # do not use project.name because we missuse the package source container for build container operations
+      Backend::Connection.post("/build/#{URI.escape(build_project)}?cmd=#{command}&#{permitted_params.to_h.to_query}")
+    rescue ActiveXML::Transport::Error, Timeout::Error, Project::WritePermissionError => e
       errors.add(:base, e.message)
       return false
     end

diff --git a/src/api/spec/models/package_spec.rb b/src/api/spec/models/package_spec.rb
@@ -434,7 +434,7 @@
     let(:params) { ActionController::Parameters.new(arch: 'x86') }
     let(:backend_url) { "#{CONFIG['source_url']}/build/#{package.project.name}?cmd=rebuild&arch=x86" }
 
-    subject { package.backend_build_command(:rebuild, params) }
+    subject { package.backend_build_command(:rebuild, package.project.name, params) }
 
     context 'backend response is successful' do
       before { stub_request(:post, backend_url) }
@@ -447,6 +447,23 @@
 
       it { is_expected.to be_falsey }
     end
+
+    context 'user has no access rights for the project' do
+      let(:other_project) { create(:project) }
+
+      before do
+        # check_write_access! depends on the Rails env. We have to workaround this here.
+        allow(Rails.env).to receive(:test?).and_return false
+        # also check_write_access! relies on User.current
+        login(user)
+
+        allow(Backend::Connection).to receive(:post).never
+      end
+
+      subject { package.backend_build_command(:rebuild, other_project.name, params) }
+
+      it { is_expected.to be_falsey }
+    end
   end
 
   describe '#jobhistory_list' do