# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2019-11-07 12:21:42
# Node ID 573a10438909de53da30257099857f1c56509ad6
# Parent  0ec5af71cad117f55a1ff9dc53bb52d36a62366d

security: fixed issues with exposing repository names using global PR redirection link
logic.

- Since redirect was created to repository which linked to the PR, users who
didn't have permissions to those repos could still see the name in the url generated.

diff --git a/rhodecode/apps/admin/views/main_views.py b/rhodecode/apps/admin/views/main_views.py
--- a/rhodecode/apps/admin/views/main_views.py
+++ b/rhodecode/apps/admin/views/main_views.py
@@ -25,7 +25,7 @@ from pyramid.view import view_config
 
 from rhodecode.apps._base import BaseAppView
 from rhodecode.lib import helpers as h
-from rhodecode.lib.auth import (LoginRequired, NotAnonymous)
+from rhodecode.lib.auth import (LoginRequired, NotAnonymous, HasRepoPermissionAny)
 from rhodecode.model.db import PullRequest
 
 
@@ -66,6 +66,13 @@ class AdminMainView(BaseAppView):
         pull_request_id = pull_request.pull_request_id
 
         repo_name = pull_request.target_repo.repo_name
+        # NOTE(marcink):
+        # check permissions so we don't redirect to repo that we don't have access to
+        # exposing it's name
+        target_repo_perm = HasRepoPermissionAny(
+            'repository.read', 'repository.write', 'repository.admin')(repo_name)
+        if not target_repo_perm:
+            raise HTTPNotFound()
 
         raise HTTPFound(
             h.route_path('pullrequest_show', repo_name=repo_name,