rhodecode-enterprise-ce Commit - r4044:573a1043

security: fixed issues with exposing repository names using global PR redirection link...

marcink -

r4044:573a1043 default

parent child

rhodecode/apps/admin/views/main_views.py

0 +8 -1

              from rhodecode.apps._base import BaseAppView
              from rhodecode.lib import helpers as h
-             from rhodecode.lib.auth import (LoginRequired, NotAnonymous)
+             from rhodecode.lib.auth import (LoginRequired, NotAnonymous, HasRepoPermissionAny)
              from rhodecode.model.db import PullRequest
                      pull_request_id = pull_request.pull_request_id
                      repo_name = pull_request.target_repo.repo_name
+                     # NOTE(marcink):
+                     # check permissions so we don't redirect to repo that we don't have access to
+                     # exposing it's name
+                     target_repo_perm = HasRepoPermissionAny(
+                         'repository.read', 'repository.write', 'repository.admin')(repo_name)
+                     if not target_repo_perm:
+                         raise HTTPNotFound()
                      raise HTTPFound(
                          h.route_path('pullrequest_show', repo_name=repo_name,

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages