##// END OF EJS Templates
repo-forks: security, check for access to fork_id parameter to prevent...
marcink -
r2173:d100eea4 default
parent child Browse files
Show More
@@ -27,7 +27,8 b' from rhodecode.apps._base import RepoApp'
27 from rhodecode.lib import helpers as h
27 from rhodecode.lib import helpers as h
28 from rhodecode.lib import audit_logger
28 from rhodecode.lib import audit_logger
29 from rhodecode.lib.auth import (
29 from rhodecode.lib.auth import (
30 LoginRequired, HasRepoPermissionAnyDecorator, CSRFRequired)
30 LoginRequired, HasRepoPermissionAnyDecorator, CSRFRequired,
31 HasRepoPermissionAny)
31 from rhodecode.lib.exceptions import AttachedForksError
32 from rhodecode.lib.exceptions import AttachedForksError
32 from rhodecode.lib.utils2 import safe_int
33 from rhodecode.lib.utils2 import safe_int
33 from rhodecode.lib.vcs import RepositoryError
34 from rhodecode.lib.vcs import RepositoryError
@@ -169,23 +170,32 b' class RepoSettingsView(RepoAppView):'
169 """
170 """
170 _ = self.request.translate
171 _ = self.request.translate
171
172
172 new_fork_id = self.request.POST.get('id_fork_of')
173 new_fork_id = safe_int(self.request.POST.get('id_fork_of'))
173 try:
174
175 # valid repo, re-check permissions
176 if new_fork_id:
177 repo = Repository.get(new_fork_id)
178 # ensure we have at least read access to the repo we mark
179 perm_check = HasRepoPermissionAny(
180 'repository.read', 'repository.write', 'repository.admin')
174
181
175 if new_fork_id and not new_fork_id.isdigit():
182 if repo and perm_check(repo_name=repo.repo_name):
176 log.error('Given fork id %s is not an INT', new_fork_id)
183 new_fork_id = repo.repo_id
184 else:
185 new_fork_id = None
177
186
178 fork_id = safe_int(new_fork_id)
187 try:
179 repo = ScmModel().mark_as_fork(
188 repo = ScmModel().mark_as_fork(
180 self.db_repo_name, fork_id, self._rhodecode_user.user_id)
189 self.db_repo_name, new_fork_id, self._rhodecode_user.user_id)
181 fork = repo.fork.repo_name if repo.fork else _('Nothing')
190 fork = repo.fork.repo_name if repo.fork else _('Nothing')
182 Session().commit()
191 Session().commit()
183 h.flash(_('Marked repo %s as fork of %s') % (self.db_repo_name, fork),
192 h.flash(
193 _('Marked repo %s as fork of %s') % (self.db_repo_name, fork),
184 category='success')
194 category='success')
185 except RepositoryError as e:
195 except RepositoryError as e:
186 log.exception("Repository Error occurred")
196 log.exception("Repository Error occurred")
187 h.flash(str(e), category='error')
197 h.flash(str(e), category='error')
188 except Exception as e:
198 except Exception:
189 log.exception("Exception while editing fork")
199 log.exception("Exception while editing fork")
190 h.flash(_('An error occurred during this operation'),
200 h.flash(_('An error occurred during this operation'),
191 category='error')
201 category='error')
@@ -218,6 +218,7 b' function registerRCRoutes() {'
218 pyroutes.register('edit_repo_strip', '/%(repo_name)s/settings/strip', ['repo_name']);
218 pyroutes.register('edit_repo_strip', '/%(repo_name)s/settings/strip', ['repo_name']);
219 pyroutes.register('strip_check', '/%(repo_name)s/settings/strip_check', ['repo_name']);
219 pyroutes.register('strip_check', '/%(repo_name)s/settings/strip_check', ['repo_name']);
220 pyroutes.register('strip_execute', '/%(repo_name)s/settings/strip_execute', ['repo_name']);
220 pyroutes.register('strip_execute', '/%(repo_name)s/settings/strip_execute', ['repo_name']);
221 pyroutes.register('edit_repo_audit_logs', '/%(repo_name)s/settings/audit_logs', ['repo_name']);
221 pyroutes.register('rss_feed_home', '/%(repo_name)s/feed/rss', ['repo_name']);
222 pyroutes.register('rss_feed_home', '/%(repo_name)s/feed/rss', ['repo_name']);
222 pyroutes.register('atom_feed_home', '/%(repo_name)s/feed/atom', ['repo_name']);
223 pyroutes.register('atom_feed_home', '/%(repo_name)s/feed/atom', ['repo_name']);
223 pyroutes.register('repo_summary', '/%(repo_name)s', ['repo_name']);
224 pyroutes.register('repo_summary', '/%(repo_name)s', ['repo_name']);
General Comments 0
You need to be logged in to leave comments. Login now