This STILL can not work. And this is still a design problem. Really. Why do you blindly re-apply the removed stuff without to face the design problems in any way with it ? This is not a productive way and will not get us any step nearer to the 2.2 release. Am Mittwoch, 29. September 2010, 23:39:27 schrieb OBS build-service:

From: Martin Mohring

--- src/api/app/controllers/source_controller.rb | 45 ++++++++++++++++++++++++- 1 files changed, 43 insertions(+), 2 deletions(-)

diff --git a/src/api/app/controllers/source_controller.rb b/src/api/app/controllers/source_controller.rb index bbc7325..9009fe9 100644 --- a/src/api/app/controllers/source_controller.rb +++ b/src/api/app/controllers/source_controller.rb @@ -985,8 +985,49 @@ class SourceController < ApplicationController validator.validate(request) end

- # ACL(file): the following code checks if link or aggregate, kiwi file or product definition opens a hole - if params[:file] == "_link" + # ACL(file): the following code checks if link or aggregate + if params[:file] == "_aggregate" + data = REXML::Document.new(request.raw_post.to_s) + data.elements.each("aggregatelist/aggregate") do |e| + # ACL(file) TODO: check if the _aggregate check cannot be circumvented somehow + tproject_name = e.attributes["project"] + tprj = DbProject.find_by_name(tproject_name) + if tprj.nil? + if not DbProject.find_remote_project(tproject_name) + render_error :status => 404, :errorcode => 'not_found', + :message => "The given #{tproject_name} does not exist" + return + end + else + # ACL(file): _aggregate access behaves like project not existing + if tprj.disabled_for?('access', nil, nil) and not @http_user.can_access?(tprj) + render_error :status => 404, :errorcode => 'not_found', + :message => "The project #{tproject_name} does not exist" + return + end + + # ACL(file): _aggregate binarydownload denies access to repositories + if tprj.disabled_for?('binarydownload', nil, nil) and not @http_user.can_download_binaries?(tprj) + render_error :status => 403, :errorcode => "download_binary_no_permission", + :message => "No permission to _aggregate binaries from project #{params[:project]}" + return + end + + # ACL(file): check that user does not aggregate an unprotected project to a protected project + if prj + if (tprj.disabled_for?('access', nil, nil) and prj.enabled_for?('access', nil, nil)) or + (tprj.disabled_for?('binarydownload', nil, nil) and prj.enabled_for?('access', nil, nil) and + prj.enabled_for?('binarydownload', nil, nil)) + render_error :status => 403, :errorcode => "binary_download_no_permission" , + :message => "aggregate with an unprotected project #{project_name} to a protected project #{tproject_name}" + return + end + end + end + + logger.debug "_aggregate checked for #{tproject_name} project permission" + end + elsif params[:file] == "_link" data = REXML::Document.new(request.raw_post.to_s) data.elements.each("link") do |e| tproject_name = e.attributes["project"]

-- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org