##// END OF EJS Templates
security: fixed issues with exposing repository names using global PR redirection link...
marcink -
r4044:573a1043 default
parent child Browse files
Show More
@@ -25,7 +25,7 b' from pyramid.view import view_config'
25
25
26 from rhodecode.apps._base import BaseAppView
26 from rhodecode.apps._base import BaseAppView
27 from rhodecode.lib import helpers as h
27 from rhodecode.lib import helpers as h
28 from rhodecode.lib.auth import (LoginRequired, NotAnonymous)
28 from rhodecode.lib.auth import (LoginRequired, NotAnonymous, HasRepoPermissionAny)
29 from rhodecode.model.db import PullRequest
29 from rhodecode.model.db import PullRequest
30
30
31
31
@@ -66,6 +66,13 b' class AdminMainView(BaseAppView):'
66 pull_request_id = pull_request.pull_request_id
66 pull_request_id = pull_request.pull_request_id
67
67
68 repo_name = pull_request.target_repo.repo_name
68 repo_name = pull_request.target_repo.repo_name
69 # NOTE(marcink):
70 # check permissions so we don't redirect to repo that we don't have access to
71 # exposing it's name
72 target_repo_perm = HasRepoPermissionAny(
73 'repository.read', 'repository.write', 'repository.admin')(repo_name)
74 if not target_repo_perm:
75 raise HTTPNotFound()
69
76
70 raise HTTPFound(
77 raise HTTPFound(
71 h.route_path('pullrequest_show', repo_name=repo_name,
78 h.route_path('pullrequest_show', repo_name=repo_name,
General Comments 0
You need to be logged in to leave comments. Login now