##// END OF EJS Templates
u » ewong » rhodecode-enterprise-ce-fork
RSS

Fork of rhodecode-enterprise-ce

pull-requests: security, prevent from injecting comments to other pull requests users...
ergo -
r2181:0bf8e4db default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -679,7 +679,8 b' class RepoPullRequestsView(RepoAppView, '
679 repo = Repository.get_by_repo_name(target_repo_name)
679 repo = Repository.get_by_repo_name(target_repo_name)
680 if not repo:
680 if not repo:
681 raise HTTPNotFound()
681 raise HTTPNotFound()
682 return PullRequestModel().generate_repo_data(repo, translator=self.request.translate)
682 return PullRequestModel().generate_repo_data(
683 repo, translator=self.request.translate)
683
684
684 @LoginRequired()
685 @LoginRequired()
685 @NotAnonymous()
686 @NotAnonymous()
@@ -1081,6 +1082,13 b' class RepoPullRequestsView(RepoAppView, '
1081 log.debug('comment: forbidden because pull request is closed')
1082 log.debug('comment: forbidden because pull request is closed')
1082 raise HTTPForbidden()
1083 raise HTTPForbidden()
1083
1084
1085 allowed_to_comment = PullRequestModel().check_user_comment(
1086 pull_request, self._rhodecode_user)
1087 if not allowed_to_comment:
1088 log.debug(
1089 'comment: forbidden because pull request is from forbidden repo')
1090 raise HTTPForbidden()
1091
1084 c = self.load_default_context()
1092 c = self.load_default_context()
1085
1093
1086 status = self.request.POST.get('changeset_status', None)
1094 status = self.request.POST.get('changeset_status', None)
Show file before | Show file after | Hide comments
@@ -164,6 +164,10 b' class PullRequestModel(BaseModel):'
164 pull_request.reviewers]
164 pull_request.reviewers]
165 return self.check_user_update(pull_request, user, api) or reviewer
165 return self.check_user_update(pull_request, user, api) or reviewer
166
166
167 def check_user_comment(self, pull_request, user):
168 owner = user.user_id == pull_request.user_id
169 return self.check_user_read(pull_request, user) or owner
170
167 def get(self, pull_request):
171 def get(self, pull_request):
168 return self.__get_pull_request(pull_request)
172 return self.__get_pull_request(pull_request)
169
173
General Comments 0
You need to be logged in to leave comments. Login now