# HG changeset patch # User Marcin Lulek # Date 2017-10-19 06:56:32 # Node ID 0bf8e4db69ca159cb51a2bbc47eb3c33e67c3a3d # Parent d1b664006fba724b08dfa4475ab00ceeb9135bfb pull-requests: security, prevent from injecting comments to other pull requests users don't have access to. diff --git a/rhodecode/apps/repository/views/repo_pull_requests.py b/rhodecode/apps/repository/views/repo_pull_requests.py --- a/rhodecode/apps/repository/views/repo_pull_requests.py +++ b/rhodecode/apps/repository/views/repo_pull_requests.py @@ -679,7 +679,8 @@ class RepoPullRequestsView(RepoAppView, repo = Repository.get_by_repo_name(target_repo_name) if not repo: raise HTTPNotFound() - return PullRequestModel().generate_repo_data(repo, translator=self.request.translate) + return PullRequestModel().generate_repo_data( + repo, translator=self.request.translate) @LoginRequired() @NotAnonymous() @@ -1081,6 +1082,13 @@ class RepoPullRequestsView(RepoAppView, log.debug('comment: forbidden because pull request is closed') raise HTTPForbidden() + allowed_to_comment = PullRequestModel().check_user_comment( + pull_request, self._rhodecode_user) + if not allowed_to_comment: + log.debug( + 'comment: forbidden because pull request is from forbidden repo') + raise HTTPForbidden() + c = self.load_default_context() status = self.request.POST.get('changeset_status', None) diff --git a/rhodecode/model/pull_request.py b/rhodecode/model/pull_request.py --- a/rhodecode/model/pull_request.py +++ b/rhodecode/model/pull_request.py @@ -164,6 +164,10 @@ class PullRequestModel(BaseModel): pull_request.reviewers] return self.check_user_update(pull_request, user, api) or reviewer + def check_user_comment(self, pull_request, user): + owner = user.user_id == pull_request.user_id + return self.check_user_read(pull_request, user) or owner + def get(self, pull_request): return self.__get_pull_request(pull_request)