rhodecode-enterprise-ce Commit - r4044:573a1043

1

# -*- coding: utf-8 -*-

1

# -*- coding: utf-8 -*-

2

3

4

#

4

#

5

# This program is free software: you can redistribute it and/or modify

5

# This program is free software: you can redistribute it and/or modify

6

# it under the terms of the GNU Affero General Public License, version 3

6

# it under the terms of the GNU Affero General Public License, version 3

7

# (only), as published by the Free Software Foundation.

7

# (only), as published by the Free Software Foundation.

8

#

8

#

9

# This program is distributed in the hope that it will be useful,

9

# This program is distributed in the hope that it will be useful,

10

# but WITHOUT ANY WARRANTY; without even the implied warranty of

10

# but WITHOUT ANY WARRANTY; without even the implied warranty of

11

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

11

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

12

# GNU General Public License for more details.

12

# GNU General Public License for more details.

13

#

13

#

14

# You should have received a copy of the GNU Affero General Public License

14

# You should have received a copy of the GNU Affero General Public License

15

# along with this program. If not, see <http://www.gnu.org/licenses/>.

15

# along with this program. If not, see <http://www.gnu.org/licenses/>.

16

#

16

#

17

# This program is dual-licensed. If you wish to learn more about the

17

# This program is dual-licensed. If you wish to learn more about the

18

# RhodeCode Enterprise Edition, including its added features, Support services,

18

# RhodeCode Enterprise Edition, including its added features, Support services,

19

# and proprietary license terms, please see https://rhodecode.com/licenses/

19

# and proprietary license terms, please see https://rhodecode.com/licenses/

20

21

import logging

21

import logging

22

23

from pyramid.httpexceptions import HTTPFound, HTTPNotFound

23

from pyramid.httpexceptions import HTTPFound, HTTPNotFound

24

from pyramid.view import view_config

24

from pyramid.view import view_config

25

26

from rhodecode.apps._base import BaseAppView

26

from rhodecode.apps._base import BaseAppView

27

from rhodecode.lib import helpers as h

27

from rhodecode.lib import helpers as h

28

from rhodecode.lib.auth import (LoginRequired, NotAnonymous)

28

from rhodecode.lib.auth import (LoginRequired, NotAnonymous, HasRepoPermissionAny)

29

from rhodecode.model.db import PullRequest

29

from rhodecode.model.db import PullRequest

30

31

32

log = logging.getLogger(__name__)

32

log = logging.getLogger(__name__)

33

34

35

class AdminMainView(BaseAppView):

35

class AdminMainView(BaseAppView):

36

def load_default_context(self):

36

def load_default_context(self):

37

c = self._get_local_tmpl_context()

37

c = self._get_local_tmpl_context()

38

return c

38

return c

39

40

@LoginRequired()

40

@LoginRequired()

41

@NotAnonymous()

41

@NotAnonymous()

42

@view_config(

42

@view_config(

43

route_name='admin_home', request_method='GET',

43

route_name='admin_home', request_method='GET',

44

renderer='rhodecode:templates/admin/main.mako')

44

renderer='rhodecode:templates/admin/main.mako')

45

def admin_main(self):

45

def admin_main(self):

46

c = self.load_default_context()

46

c = self.load_default_context()

47

c.active = 'admin'

47

c.active = 'admin'

48

49

if not (c.is_super_admin or c.is_delegated_admin):

49

if not (c.is_super_admin or c.is_delegated_admin):

50

raise HTTPNotFound()

50

raise HTTPNotFound()

51

52

return self._get_template_context(c)

52

return self._get_template_context(c)

53

54

@LoginRequired()

54

@LoginRequired()

55

@view_config(route_name='pull_requests_global_0', request_method='GET')

55

@view_config(route_name='pull_requests_global_0', request_method='GET')

56

@view_config(route_name='pull_requests_global_1', request_method='GET')

56

@view_config(route_name='pull_requests_global_1', request_method='GET')

57

@view_config(route_name='pull_requests_global', request_method='GET')

57

@view_config(route_name='pull_requests_global', request_method='GET')

58

def pull_requests(self):

58

def pull_requests(self):

59

"""

59

"""

60

Global redirect for Pull Requests

60

Global redirect for Pull Requests

61

pull_request_id: id of pull requests in the system

61

pull_request_id: id of pull requests in the system

62

"""

62

"""

63

64

pull_request = PullRequest.get_or_404(

64

pull_request = PullRequest.get_or_404(

65

self.request.matchdict['pull_request_id'])

65

self.request.matchdict['pull_request_id'])

66

pull_request_id = pull_request.pull_request_id

66

pull_request_id = pull_request.pull_request_id

67

68

repo_name = pull_request.target_repo.repo_name

68

repo_name = pull_request.target_repo.repo_name

69

# NOTE(marcink):

70

# check permissions so we don't redirect to repo that we don't have access to

71

# exposing it's name

72

target_repo_perm = HasRepoPermissionAny(

73

'repository.read', 'repository.write', 'repository.admin')(repo_name)

74

if not target_repo_perm:

75

raise HTTPNotFound()

69

76

70

raise HTTPFound(

77

raise HTTPFound(

71

h.route_path('pullrequest_show', repo_name=repo_name,

78

h.route_path('pullrequest_show', repo_name=repo_name,

72

pull_request_id=pull_request_id))

79

pull_request_id=pull_request_id))

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             # -*- coding: utf-8 -*-
             # Copyright (C) 2016-2019 RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import logging
             from pyramid.httpexceptions import HTTPFound, HTTPNotFound
             from pyramid.view import view_config
             from rhodecode.apps._base import BaseAppView
             from rhodecode.lib import helpers as h
-            from rhodecode.lib.auth import (LoginRequired, NotAnonymous)
+            from rhodecode.lib.auth import (LoginRequired, NotAnonymous, HasRepoPermissionAny)
             from rhodecode.model.db import PullRequest
             log = logging.getLogger(__name__)
             class AdminMainView(BaseAppView):
                 def load_default_context(self):
                     c = self._get_local_tmpl_context()
                     return c
                 @LoginRequired()
                 @NotAnonymous()
                 @view_config(
                     route_name='admin_home', request_method='GET',
                     renderer='rhodecode:templates/admin/main.mako')
                 def admin_main(self):
                     c = self.load_default_context()
                     c.active = 'admin'
                     if not (c.is_super_admin or c.is_delegated_admin):
                         raise HTTPNotFound()
                     return self._get_template_context(c)
                 @LoginRequired()
                 @view_config(route_name='pull_requests_global_0', request_method='GET')
                 @view_config(route_name='pull_requests_global_1', request_method='GET')
                 @view_config(route_name='pull_requests_global', request_method='GET')
                 def pull_requests(self):
                     """
                     Global redirect for Pull Requests
                     pull_request_id: id of pull requests in the system
                     """
                     pull_request = PullRequest.get_or_404(
                         self.request.matchdict['pull_request_id'])
                     pull_request_id = pull_request.pull_request_id
                     repo_name = pull_request.target_repo.repo_name
+                    # NOTE(marcink):
+                    # check permissions so we don't redirect to repo that we don't have access to
+                    # exposing it's name
+                    target_repo_perm = HasRepoPermissionAny(
+                        'repository.read', 'repository.write', 'repository.admin')(repo_name)
+                    if not target_repo_perm:
+                        raise HTTPNotFound()
                     raise HTTPFound(
                         h.route_path('pullrequest_show', repo_name=repo_name,
                                      pull_request_id=pull_request_id))