Please sign in to comment.
Ignore a project link in BsRequestAction.check_action_permission!
This makes sure that we check the permissions of the correct package. For instance, assume that the project "Staging" is a link project where the link points to the "Base" project. Also, assume that there exists a "Base/foo" package, but there exists no explicit "Staging/foo" package. Moreover, assume we check the permissions for the following "submit" action: <action type="submit"> <source project="Staging" package="foo"/> <target project="an_arbitrary_project" package="foo"/> </action> In this case, the old code checks if request acceptor can modify the "Base/foo" package (since it follows the project link). This is wrong because the "Staging/foo" package would be turned into a branch during accept. The new code checks the correct package because it does not follow the project link and requires that the source package exists in the source project. Requiring the existence of the source package potentially breaks artificial requests (for instance, a request where the "submit" action from above is preceded by a "submit" action that creates a "Staging/foo" package). Note: so far I was unable to exploit the old code - so this is just to avoid a potential future headache. Fixes: commit 990ef7c ("[api][webui] Check access to source package")
- Loading branch information...
Showing with 5 additions and 2 deletions.