# HG changeset patch
# User Martin Bornhold <martin@rhodecode.com>
# Date 2016-09-19 13:33:46
# Node ID 910a0be068a665d5d4bd3de77f0d0d84606ba989
# Parent  ed7b68ec2896e114c7f29e69a1e3144ed4dfcb41

vcs: Only allow 'pull' actions on shadow repositories.

We are exposing the shadow repositories of pull requests to allow easy CI integration
or users to access the pull request shadow repo for investigating on it. But we don't
want someone/something to push changes to a shadow repository.

diff --git a/rhodecode/lib/middleware/simplevcs.py b/rhodecode/lib/middleware/simplevcs.py
--- a/rhodecode/lib/middleware/simplevcs.py
+++ b/rhodecode/lib/middleware/simplevcs.py
@@ -285,6 +285,15 @@ class SimpleVCS(object):
         action = self._get_action(environ)
 
         # ======================================================================
+        # Check if this is a request to a shadow repository of a pull request.
+        # In this case only pull action is allowed.
+        # ======================================================================
+        if self.pr_id is not None and action != 'pull':
+            reason = 'Only pull action is allowed for shadow repositories.'
+            log.debug('User not allowed to proceed, %s', reason)
+            return HTTPNotAcceptable(reason)(environ, start_response)
+
+        # ======================================================================
         # CHECK ANONYMOUS PERMISSION
         # ======================================================================
         if action in ['pull', 'push']: