rhodecode-enterprise-ce Commit - r4044:573a1043

security: fixed issues with exposing repository names using global PR redirection link...

marcink -

r4044:573a1043 default

parent child

rhodecode/apps/admin/views/main_views.py

0 +8 -1

             from rhodecode.apps._base import BaseAppView
             from rhodecode.lib import helpers as h
-            from rhodecode.lib.auth import (LoginRequired, NotAnonymous)
+            from rhodecode.lib.auth import (LoginRequired, NotAnonymous, HasRepoPermissionAny)
             from rhodecode.model.db import PullRequest
                     pull_request_id = pull_request.pull_request_id
                     repo_name = pull_request.target_repo.repo_name
+                    # NOTE(marcink):
+                    # check permissions so we don't redirect to repo that we don't have access to
+                    # exposing it's name
+                    target_repo_perm = HasRepoPermissionAny(
+                        'repository.read', 'repository.write', 'repository.admin')(repo_name)
+                    if not target_repo_perm:
+                        raise HTTPNotFound()
                     raise HTTPFound(
                         h.route_path('pullrequest_show', repo_name=repo_name,

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages