##// END OF EJS Templates
pull-requests: security double check permissions on injected forms of source and target repositories.
ergo -
r2177:4abf28f1 default
parent child Browse files
Show More
@@ -36,7 +36,8 b' from rhodecode.lib import helpers as h, '
36 from rhodecode.lib.base import vcs_operation_context
36 from rhodecode.lib.base import vcs_operation_context
37 from rhodecode.lib.ext_json import json
37 from rhodecode.lib.ext_json import json
38 from rhodecode.lib.auth import (
38 from rhodecode.lib.auth import (
39 LoginRequired, HasRepoPermissionAnyDecorator, NotAnonymous, CSRFRequired)
39 LoginRequired, HasRepoPermissionAny, HasRepoPermissionAnyDecorator,
40 NotAnonymous, CSRFRequired)
40 from rhodecode.lib.utils2 import str2bool, safe_str, safe_unicode
41 from rhodecode.lib.utils2 import str2bool, safe_str, safe_unicode
41 from rhodecode.lib.vcs.backends.base import EmptyCommit, UpdateFailureReason
42 from rhodecode.lib.vcs.backends.base import EmptyCommit, UpdateFailureReason
42 from rhodecode.lib.vcs.exceptions import (CommitDoesNotExistError,
43 from rhodecode.lib.vcs.exceptions import (CommitDoesNotExistError,
@@ -772,6 +773,36 b' class RepoPullRequestsView(RepoAppView, '
772 source_db_repo = Repository.get_by_repo_name(_form['source_repo'])
773 source_db_repo = Repository.get_by_repo_name(_form['source_repo'])
773 target_db_repo = Repository.get_by_repo_name(_form['target_repo'])
774 target_db_repo = Repository.get_by_repo_name(_form['target_repo'])
774
775
776 # re-check permissions again here
777 # source_repo we must have read permissions
778
779 source_perm = HasRepoPermissionAny(
780 'repository.read',
781 'repository.write', 'repository.admin')(source_db_repo.repo_name)
782 if not source_perm:
783 msg = _('Not Enough permissions to source repo `{}`.'.format(
784 source_db_repo.repo_name))
785 h.flash(msg, category='error')
786 # copy the args back to redirect
787 org_query = self.request.GET.mixed()
788 raise HTTPFound(
789 h.route_path('pullrequest_new', repo_name=self.db_repo_name,
790 _query=org_query))
791
792 # target repo we must have write permissions, and also later on
793 # we want to check branch permissions here
794 target_perm = HasRepoPermissionAny(
795 'repository.write', 'repository.admin')(target_db_repo.repo_name)
796 if not target_perm:
797 msg = _('Not Enough permissions to target repo `{}`.'.format(
798 target_db_repo.repo_name))
799 h.flash(msg, category='error')
800 # copy the args back to redirect
801 org_query = self.request.GET.mixed()
802 raise HTTPFound(
803 h.route_path('pullrequest_new', repo_name=self.db_repo_name,
804 _query=org_query))
805
775 source_scm = source_db_repo.scm_instance()
806 source_scm = source_db_repo.scm_instance()
776 target_scm = target_db_repo.scm_instance()
807 target_scm = target_db_repo.scm_instance()
777
808
General Comments 0
You need to be logged in to leave comments. Login now