This STILL can not work. And this is still a design problem.

Really.

Why do you blindly re-apply the removed stuff without to face the design problems in any way with it ?

This is not a productive way and will not get us any step nearer to the 2.2 release.

Am Mittwoch, 29. September 2010, 23:39:27 schrieb OBS build-service:

From: Martin Mohring martinmohring@linuxfoundation.org

---

src/api/app/controllers/source_controller.rb | 45 ++++++++++++++++++++++++- 1 files changed, 43 insertions(+), 2 deletions(-)

diff --git a/src/api/app/controllers/source_controller.rb b/src/api/app/controllers/source_controller.rb index bbc7325..9009fe9 100644 --- a/src/api/app/controllers/source_controller.rb +++ b/src/api/app/controllers/source_controller.rb @@ -985,8 +985,49 @@ class SourceController < ApplicationController validator.validate(request) end

•    # ACL(file): the following code checks if link or aggregate, kiwi file or product definition opens a hole
  

•    if params[:file] == "_link"
  

•    # ACL(file): the following code checks if link or aggregate
  

•    if params[:file] == "_aggregate"
  

•      data = REXML::Document.new(request.raw_post.to_s)
  

•      data.elements.each("aggregatelist/aggregate") do |e|
  

•        # ACL(file) TODO: check if the _aggregate check cannot be circumvented somehow
  

•        tproject_name = e.attributes["project"]
  

•        tprj = DbProject.find_by_name(tproject_name)
  

•        if tprj.nil?
  

•          if not DbProject.find_remote_project(tproject_name)
  

•            render_error :status => 404, :errorcode => 'not_found',
  

•            :message => "The given #{tproject_name} does not exist"
  

•            return
  

•          end
  

•        else
  

•          # ACL(file): _aggregate access behaves like project not existing
  

•          if tprj.disabled_for?('access', nil, nil) and not @http_user.can_access?(tprj)
  

•            render_error :status => 404, :errorcode => 'not_found',
  

•            :message => "The project #{tproject_name} does not exist"
  

•            return
  

•          end
  

•          # ACL(file): _aggregate binarydownload denies access to repositories
  

•          if tprj.disabled_for?('binarydownload', nil, nil) and not @http_user.can_download_binaries?(tprj)
  

•            render_error :status => 403, :errorcode => "download_binary_no_permission",
  

•            :message => "No permission to _aggregate binaries from project #{params[:project]}"
  

•            return
  

•          end
  

•          # ACL(file): check that user does not aggregate an unprotected project to a protected project
  

•          if prj
  

•            if (tprj.disabled_for?('access', nil, nil) and prj.enabled_for?('access', nil, nil)) or
  

•                (tprj.disabled_for?('binarydownload', nil, nil) and prj.enabled_for?('access', nil, nil) and
  

•                 prj.enabled_for?('binarydownload', nil, nil))
  

•              render_error :status => 403, :errorcode => "binary_download_no_permission" ,
  

•              :message => "aggregate with an unprotected project  #{project_name} to a protected project #{tproject_name}"
  

•              return
  

•            end
  

•          end
  

•        end
  

•        logger.debug "_aggregate checked for #{tproject_name} project permission"
  

•      end
  

•    elsif params[:file] == "_link"
       data = REXML::Document.new(request.raw_post.to_s)
       data.elements.each("link") do |e|
         tproject_name = e.attributes["project"]