Skip to content
Permalink
Browse files

Ignore a project link in BsRequestAction.check_action_permission!

This makes sure that we check the permissions of the correct package. For
instance, assume that the project "Staging" is a link project where the
link points to the "Base" project. Also, assume that there exists a
"Base/foo" package, but there exists no explicit "Staging/foo" package.
Moreover, assume we check the permissions for the following "submit"
action:

<action type="submit">
  <source project="Staging" package="foo"/>
  <target project="an_arbitrary_project" package="foo"/>
</action>

In this case, the old code checks if request acceptor can modify the
"Base/foo" package (since it follows the project link). This is wrong
because the "Staging/foo" package would be turned into a branch during
accept.
The new code checks the correct package because it does not follow the
project link and requires that the source package exists in the source
project. Requiring the existence of the source package potentially
breaks artificial requests (for instance, a request where the "submit"
action from above is preceded by a "submit" action that creates a
"Staging/foo" package).

Note: so far I was unable to exploit the old code - so this is just
to avoid a potential future headache.

Fixes: commit 990ef7c ("[api][webui] Check access to source package")
  • Loading branch information...
marcus-h authored and bgeuken committed Jul 5, 2018
1 parent de2ca28 commit f57b660f49f830006766a8d4abc3b4af6e178063
Showing with 5 additions and 2 deletions.
  1. +5 −2 src/api/app/models/bs_request_action_submit.rb
@@ -115,8 +115,11 @@ def check_action_permission!(skip_source = nil)
target_package = target_project.packages.find_by_name(self.target_package)
initialize_devel_package = target_project.find_attribute('OBS', 'InitializeDevelPackage')
return if target_package || !initialize_devel_package
source_package = Package.get_by_project_and_name(source_project, self.source_package)
return if !source_package || User.current.can_modify?(source_package)
opts = { follow_project_links: false }
source_package = Package.get_by_project_and_name!(source_project,
self.source_package,
opts)
return if User.current.can_modify?(source_package)
msg = 'No permission to initialize the source package as a devel package'
raise PostRequestNoPermission, msg
end

0 comments on commit f57b660

Please sign in to comment.
You can’t perform that action at this time.