Mailinglist Archive: opensuse-buildservice (251 mails)
| < Previous | Next > |
[opensuse-buildservice] Re: [PATCH] [api] readded _aggregate permission checks corrected
- From: Adrian Schröter <adrian@xxxxxxx>
- Date: Thu, 30 Sep 2010 09:00:26 +0200
- Message-id: <201009300900.26794.adrian@xxxxxxx>
This STILL can not work. And this is still a design problem.
Really.
Why do you blindly re-apply the removed stuff without to face the design
problems in any way with it ?
This is not a productive way and will not get us any step nearer to the 2.2
release.
Am Mittwoch, 29. September 2010, 23:39:27 schrieb OBS build-service:
From: Martin Mohring <martinmohring@xxxxxxxxxxxxxxxxxxx>
---
src/api/app/controllers/source_controller.rb | 45 ++++++++++++++++++++++++-
1 files changed, 43 insertions(+), 2 deletions(-)
diff --git a/src/api/app/controllers/source_controller.rb
b/src/api/app/controllers/source_controller.rb
index bbc7325..9009fe9 100644
--- a/src/api/app/controllers/source_controller.rb
+++ b/src/api/app/controllers/source_controller.rb
@@ -985,8 +985,49 @@ class SourceController < ApplicationController
validator.validate(request)
end
- # ACL(file): the following code checks if link or aggregate, kiwi
file or product definition opens a hole
- if params[:file] == "_link"
+ # ACL(file): the following code checks if link or aggregate
+ if params[:file] == "_aggregate"
+ data = REXML::Document.new(request.raw_post.to_s)
+ data.elements.each("aggregatelist/aggregate") do |e|
+ # ACL(file) TODO: check if the _aggregate check cannot be
circumvented somehow
+ tproject_name = e.attributes["project"]
+ tprj = DbProject.find_by_name(tproject_name)
+ if tprj.nil?
+ if not DbProject.find_remote_project(tproject_name)
+ render_error :status => 404, :errorcode => 'not_found',
+ :message => "The given #{tproject_name} does not exist"
+ return
+ end
+ else
+ # ACL(file): _aggregate access behaves like project not
existing
+ if tprj.disabled_for?('access', nil, nil) and not
@http_user.can_access?(tprj)
+ render_error :status => 404, :errorcode => 'not_found',
+ :message => "The project #{tproject_name} does not exist"
+ return
+ end
+
+ # ACL(file): _aggregate binarydownload denies access to
repositories
+ if tprj.disabled_for?('binarydownload', nil, nil) and not
@http_user.can_download_binaries?(tprj)
+ render_error :status => 403, :errorcode =>
"download_binary_no_permission",
+ :message => "No permission to _aggregate binaries from
project #{params[:project]}"
+ return
+ end
+
+ # ACL(file): check that user does not aggregate an unprotected
project to a protected project
+ if prj
+ if (tprj.disabled_for?('access', nil, nil) and
prj.enabled_for?('access', nil, nil)) or
+ (tprj.disabled_for?('binarydownload', nil, nil) and
prj.enabled_for?('access', nil, nil) and
+ prj.enabled_for?('binarydownload', nil, nil))
+ render_error :status => 403, :errorcode =>
"binary_download_no_permission" ,
+ :message => "aggregate with an unprotected project
#{project_name} to a protected project #{tproject_name}"
+ return
+ end
+ end
+ end
+
+ logger.debug "_aggregate checked for #{tproject_name} project
permission"
+ end
+ elsif params[:file] == "_link"
data = REXML::Document.new(request.raw_post.to_s)
data.elements.each("link") do |e|
tproject_name = e.attributes["project"]
--
Adrian Schroeter
SUSE Linux Products GmbH
email: adrian@xxxxxxx
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx
| < Previous | Next > |