From c725ef395c33e0cf8c29aea72ba89e43dd432e2b Mon Sep 17 00:00:00 2001
From: Victor Pereira <vpereira@suse.de>
Date: Wed, 19 Sep 2018 09:00:54 +0200
Subject: [PATCH] Refactor PackageController. Use pundit and enable
 `verify_authorized`

To be able to add explict pundit verification via `verify_authorized`
it was necessary to refactor the method `save_meta` which led to
move some logic to `before_action` methods like `validate_xml`
---
 .../controllers/webui/package_controller.rb   | 54 +++++++++----------
 1 file changed, 24 insertions(+), 30 deletions(-)

diff --git a/src/api/app/controllers/webui/package_controller.rb b/src/api/app/controllers/webui/package_controller.rb
index b09bbeb98b9..689ad6a5994 100644
--- a/src/api/app/controllers/webui/package_controller.rb
+++ b/src/api/app/controllers/webui/package_controller.rb
@@ -22,13 +22,15 @@ class Webui::PackageController < Webui::WebuiController
   before_action :require_package, only: [:show, :linking_packages, :dependency, :binary, :binaries,
                                          :requests, :statistics, :commit, :revisions, :submit_request_dialog,
                                          :add_person, :add_group, :rdiff,
-                                         :save, :delete_dialog,
+                                         :save, :save_meta, :delete_dialog,
                                          :remove, :add_file, :save_file, :remove_file, :save_person,
                                          :save_group, :remove_role, :view_file,
                                          :abort_build, :trigger_rebuild, :trigger_services,
                                          :wipe_binaries, :buildresult, :rpmlint_result, :rpmlint_log, :meta,
                                          :attributes, :edit, :files, :users, :binary_download]
 
+  before_action :validate_xml, only: [:save_meta]
+
   before_action :require_repository, only: [:binary, :binary_download]
   before_action :require_architecture, only: [:binary, :binary_download]
 
@@ -45,6 +47,8 @@ class Webui::PackageController < Webui::WebuiController
 
   prepend_before_action :lockout_spiders, only: [:revisions, :dependency, :rdiff, :binary, :binaries, :requests, :binary_download]
 
+  after_action :verify_authorized, only: [:remove_file, :remove, :save_file, :abort_build, :trigger_rebuild, :wipe_binaries, :save_meta, :save, :abort_build]
+
   def show
     if request.bot?
       params.delete(:rev)
@@ -116,9 +120,7 @@ def dependency
       next if project_repositories.include?(params[repo_key])
       flash[:error] = "Repository '#{params[repo_key]}' is invalid."
       redirect_back(fallback_location: project_show_path(project: @project.name))
-      # rubocop:disable Lint/NonLocalExitFromIterator
       return
-      # rubocop:enable Lint/NonLocalExitFromIterator
     end
 
     @arch = params[:arch]
@@ -602,10 +604,7 @@ def branch
   end
 
   def save
-    unless User.current.can_modify?(@package)
-      redirect_to action: :show, project: params[:project], package: params[:package], error: 'No permission to save'
-      return
-    end
+    authorize @package, :update?
     @package.title = params[:title]
     @package.description = params[:description]
     if @package.save
@@ -978,36 +977,23 @@ def meta
   def save_meta
     errors = []
 
-    begin
-      Suse::Validator.validate('package', params[:meta])
-      meta_xml = Xmlhash.parse(params[:meta])
-
-      # That's a valid XML file
-      if Package.exists_by_project_and_name(@project.name, params[:package], follow_project_links: false)
-        @package = Package.get_by_project_and_name(@project.name, params[:package], use_source: false, follow_project_links: false)
-        authorize @package, :update?
+    authorize @package, :save_meta_update?
 
-        if @package && !@package.disabled_for?('sourceaccess', nil, nil) && FlagHelper.xml_disabled_for?(meta_xml, 'sourceaccess')
-          errors << 'admin rights are required to raise the protection level of a package'
-        end
+    if FlagHelper.xml_disabled_for?(@meta_xml, 'sourceaccess')
+      errors << 'admin rights are required to raise the protection level of a package'
+    end
 
-        if meta_xml['project'] && meta_xml['project'] != @project.name
-          errors << 'project name in xml data does not match resource path component'
-        end
+    if @meta_xml['project'] && @meta_xml['project'] != @project.name
+      errors << 'project name in xml data does not match resource path component'
+    end
 
-        if meta_xml['name'] && meta_xml['name'] != @package.name
-          errors << 'package name in xml data does not match resource path component'
-        end
-      else
-        errors << "Package doesn't exists in that project."
-      end
-    rescue Suse::ValidationError => e
-      errors << e.message
+    if @meta_xml['name'] && @meta_xml['name'] != @package.name
+      errors << 'package name in xml data does not match resource path component'
     end
 
     if errors.empty?
       begin
-        @package.update_from_xml(meta_xml)
+        @package.update_from_xml(@meta_xml)
         flash.now[:success] = 'The Meta file has been successfully saved.'
         render layout: false, partial: 'layouts/webui/flash', object: flash
       rescue Backend::Error, NotFoundError => e
@@ -1037,6 +1023,14 @@ def binary_download
 
   private
 
+  def validate_xml
+    Suse::Validator.validate('package', params[:meta])
+    @meta_xml = Xmlhash.parse(params[:meta])
+  rescue Suse::ValidationError => error
+    flash.now[:error] = "Error while saving the Meta file: #{error}."
+    render layout: false, status: 400, partial: 'layouts/webui/flash', object: flash
+  end
+
   def package_files(rev = nil, expand = nil)
     query = {}
     query[:expand]  = expand  if expand