This STILL can not work. And this is still a design problem.
Really.
Why do you blindly re-apply the removed stuff without to face the design
problems in any way with it ?
This is not a productive way and will not get us any step nearer to the 2.2 release.
Am Mittwoch, 29. September 2010, 23:39:27 schrieb OBS build-service:
> From: Martin Mohring <martinmohring(a)linuxfoundation.org>
>
> ---
> src/api/app/controllers/source_controller.rb | 45 ++++++++++++++++++++++++-
> 1 files changed, 43 insertions(+), 2 deletions(-)
>
> diff --git a/src/api/app/controllers/source_controller.rb b/src/api/app/controllers/source_controller.rb
> index bbc7325..9009fe9 100644
> --- a/src/api/app/controllers/source_controller.rb
> +++ b/src/api/app/controllers/source_controller.rb
> @@ -985,8 +985,49 @@ class SourceController < ApplicationController
> validator.validate(request)
> end
>
> - # ACL(file): the following code checks if link or aggregate, kiwi file or product definition opens a hole
> - if params[:file] == "_link"
> + # ACL(file): the following code checks if link or aggregate
> + if params[:file] == "_aggregate"
> + data = REXML::Document.new(request.raw_post.to_s)
> + data.elements.each("aggregatelist/aggregate") do |e|
> + # ACL(file) TODO: check if the _aggregate check cannot be circumvented somehow
> + tproject_name = e.attributes["project"]
> + tprj = DbProject.find_by_name(tproject_name)
> + if tprj.nil?
> + if not DbProject.find_remote_project(tproject_name)
> + render_error :status => 404, :errorcode => 'not_found',
> + :message => "The given #{tproject_name} does not exist"
> + return
> + end
> + else
> + # ACL(file): _aggregate access behaves like project not existing
> + if tprj.disabled_for?('access', nil, nil) and not @http_user.can_access?(tprj)
> + render_error :status => 404, :errorcode => 'not_found',
> + :message => "The project #{tproject_name} does not exist"
> + return
> + end
> +
> + # ACL(file): _aggregate binarydownload denies access to repositories
> + if tprj.disabled_for?('binarydownload', nil, nil) and not @http_user.can_download_binaries?(tprj)
> + render_error :status => 403, :errorcode => "download_binary_no_permission",
> + :message => "No permission to _aggregate binaries from project #{params[:project]}"
> + return
> + end
> +
> + # ACL(file): check that user does not aggregate an unprotected project to a protected project
> + if prj
> + if (tprj.disabled_for?('access', nil, nil) and prj.enabled_for?('access', nil, nil)) or
> + (tprj.disabled_for?('binarydownload', nil, nil) and prj.enabled_for?('access', nil, nil) and
> + prj.enabled_for?('binarydownload', nil, nil))
> + render_error :status => 403, :errorcode => "binary_download_no_permission" ,
> + :message => "aggregate with an unprotected project #{project_name} to a protected project #{tproject_name}"
> + return
> + end
> + end
> + end
> +
> + logger.debug "_aggregate checked for #{tproject_name} project permission"
> + end
> + elsif params[:file] == "_link"
> data = REXML::Document.new(request.raw_post.to_s)
> data.elements.each("link") do |e|
> tproject_name = e.attributes["project"]
>
--
Adrian Schroeter
SUSE Linux Products GmbH
email: adrian(a)suse.de
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-buildservice+help(a)opensuse.org