rhodecode-enterprise-ce Commit - r2194:90609677

auth: don't expose full set of permissions into channelstream payload....

ergo -

r2194:90609677 stable

parent child

rhodecode/apps/channelstream/views.py

0 +2 -1

                     except Exception:
                         log.exception('Failed to decode json from request')
                         raise HTTPBadRequest()
                     try:
                         channels = check_channel_permissions(
                             json_body.get('channels'),
                             'display_name': None,
                             'display_link': None,
                         }
-                    user_data['permissions'] = self._rhodecode_user.permissions
+                    user_data['permissions'] = self._rhodecode_user.permissions_safe
                     payload = {
                         'username': user.username,
                         'user_state': user_data,

rhodecode/lib/auth.py

0 +18 0

@@ -824,6 +824,24 b' class AuthUser(object):'
824	def permissions(self):	824	def permissions(self):
825	return self.get_perms(user=self, cache=False)	825	return self.get_perms(user=self, cache=False)
826		826
		827	@LazyProperty
		828	def permissions_safe(self):
		829	"""
		830	Filtered permissions excluding not allowed repositories
		831	"""
		832	perms = self.get_perms(user=self, cache=False)
		833
		834	perms['repositories'] = {
		835	k: v for k, v in perms['repositories'].iteritems()
		836	if v != 'repository.none'}
		837	perms['repositories_groups'] = {
		838	k: v for k, v in perms['repositories_groups'].iteritems()
		839	if v != 'group.none'}
		840	perms['user_groups'] = {
		841	k: v for k, v in perms['user_groups'].iteritems()
		842	if v != 'usergroup.none'}
		843	return perms
		844
827	def permissions_with_scope(self, scope):	845	def permissions_with_scope(self, scope):
828	"""	846	"""
829	Call the get_perms function with scoped data. The scope in that function	847	Call the get_perms function with scoped data. The scope in that function

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages