##// END OF EJS Templates
u » ewong » rhodecode-enterprise-ce-fork
RSS

Fork of rhodecode-enterprise-ce

repo-forks: security, check for access to fork_id parameter to prevent...
marcink -
r2173:d100eea4 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -27,7 +27,8 b' from rhodecode.apps._base import RepoApp'
27 27 from rhodecode.lib import helpers as h
28 28 from rhodecode.lib import audit_logger
29 29 from rhodecode.lib.auth import (
30 LoginRequired, HasRepoPermissionAnyDecorator, CSRFRequired)
30 LoginRequired, HasRepoPermissionAnyDecorator, CSRFRequired,
31 HasRepoPermissionAny)
31 32 from rhodecode.lib.exceptions import AttachedForksError
32 33 from rhodecode.lib.utils2 import safe_int
33 34 from rhodecode.lib.vcs import RepositoryError
@@ -169,23 +170,32 b' class RepoSettingsView(RepoAppView):'
169 170 """
170 171 _ = self.request.translate
171 172
172 new_fork_id = self.request.POST.get('id_fork_of')
173 try:
173 new_fork_id = safe_int(self.request.POST.get('id_fork_of'))
174
175 # valid repo, re-check permissions
176 if new_fork_id:
177 repo = Repository.get(new_fork_id)
178 # ensure we have at least read access to the repo we mark
179 perm_check = HasRepoPermissionAny(
180 'repository.read', 'repository.write', 'repository.admin')
174 181
175 if new_fork_id and not new_fork_id.isdigit():
176 log.error('Given fork id %s is not an INT', new_fork_id)
182 if repo and perm_check(repo_name=repo.repo_name):
183 new_fork_id = repo.repo_id
184 else:
185 new_fork_id = None
177 186
178 fork_id = safe_int(new_fork_id)
187 try:
179 188 repo = ScmModel().mark_as_fork(
180 self.db_repo_name, fork_id, self._rhodecode_user.user_id)
189 self.db_repo_name, new_fork_id, self._rhodecode_user.user_id)
181 190 fork = repo.fork.repo_name if repo.fork else _('Nothing')
182 191 Session().commit()
183 h.flash(_('Marked repo %s as fork of %s') % (self.db_repo_name, fork),
184 category='success')
192 h.flash(
193 _('Marked repo %s as fork of %s') % (self.db_repo_name, fork),
194 category='success')
185 195 except RepositoryError as e:
186 196 log.exception("Repository Error occurred")
187 197 h.flash(str(e), category='error')
188 except Exception as e:
198 except Exception:
189 199 log.exception("Exception while editing fork")
190 200 h.flash(_('An error occurred during this operation'),
191 201 category='error')
Show file before | Show file after | Hide comments
@@ -218,6 +218,7 b' function registerRCRoutes() {'
218 218 pyroutes.register('edit_repo_strip', '/%(repo_name)s/settings/strip', ['repo_name']);
219 219 pyroutes.register('strip_check', '/%(repo_name)s/settings/strip_check', ['repo_name']);
220 220 pyroutes.register('strip_execute', '/%(repo_name)s/settings/strip_execute', ['repo_name']);
221 pyroutes.register('edit_repo_audit_logs', '/%(repo_name)s/settings/audit_logs', ['repo_name']);
221 222 pyroutes.register('rss_feed_home', '/%(repo_name)s/feed/rss', ['repo_name']);
222 223 pyroutes.register('atom_feed_home', '/%(repo_name)s/feed/atom', ['repo_name']);
223 224 pyroutes.register('repo_summary', '/%(repo_name)s', ['repo_name']);
General Comments 0
You need to be logged in to leave comments. Login now