rhodecode-enterprise-ce Commit - r2177:4abf28f1

pull-requests: security double check permissions on injected forms of source and target repositories.

ergo -

r2177:4abf28f1 default

parent child

rhodecode/apps/repository/views/repo_pull_requests.py

0 +32 -1

              from rhodecode.lib.base import vcs_operation_context
              from rhodecode.lib.ext_json import json
              from rhodecode.lib.auth import (
-                 LoginRequired, HasRepoPermissionAnyDecorator, NotAnonymous, CSRFRequired)
+                 LoginRequired, HasRepoPermissionAny, HasRepoPermissionAnyDecorator,
+                 NotAnonymous, CSRFRequired)
              from rhodecode.lib.utils2 import str2bool, safe_str, safe_unicode
              from rhodecode.lib.vcs.backends.base import EmptyCommit, UpdateFailureReason
              from rhodecode.lib.vcs.exceptions import (CommitDoesNotExistError,
                      source_db_repo = Repository.get_by_repo_name(_form['source_repo'])
                      target_db_repo = Repository.get_by_repo_name(_form['target_repo'])
+                     # re-check permissions again here
+                     # source_repo we must have read permissions
+                     source_perm = HasRepoPermissionAny(
+                         'repository.read',
+                         'repository.write', 'repository.admin')(source_db_repo.repo_name)
+                     if not source_perm:
+                         msg = _('Not Enough permissions to source repo `{}`.'.format(
+                             source_db_repo.repo_name))
+                         h.flash(msg, category='error')
+                         # copy the args back to redirect
+                         org_query = self.request.GET.mixed()
+                         raise HTTPFound(
+                             h.route_path('pullrequest_new', repo_name=self.db_repo_name,
+                                          _query=org_query))
+                     # target repo we must have write permissions, and also later on
+                     # we want to check branch permissions here
+                     target_perm = HasRepoPermissionAny(
+                         'repository.write', 'repository.admin')(target_db_repo.repo_name)
+                     if not target_perm:
+                         msg = _('Not Enough permissions to target repo `{}`.'.format(
+                             target_db_repo.repo_name))
+                         h.flash(msg, category='error')
+                         # copy the args back to redirect
+                         org_query = self.request.GET.mixed()
+                         raise HTTPFound(
+                             h.route_path('pullrequest_new', repo_name=self.db_repo_name,
+                                          _query=org_query))
                      source_scm = source_db_repo.scm_instance()
                      target_scm = target_db_repo.scm_instance()

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages