vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Fix permissions on accessing archived logs

Browse source
This commit is contained in:
Joseph Schorr 2017-08-18 13:45:36 -04:00
parent 46e1bd9c75
commit 464bccb5a0
2 changed files with 18 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
endpoints/web.py
View file

@ -343,14 +343,20 @@ def sitemap():
@web.route('/buildlogs/<build_uuid>', methods=['GET'])
@route_show_if(features.BUILD_SUPPORT)
@require_session_login
@process_auth_or_cookie
def buildlogs(build_uuid):
found_build = model.build.get_repository_build(build_uuid)
if not found_build:
abort(403)
repo = found_build.repository
if not ModifyRepositoryPermission(repo.namespace_user.username, repo.name).can():
has_permission = ModifyRepositoryPermission(repo.namespace_user.username, repo.name).can()
if features.READER_BUILD_LOGS and not has_permission:
if (ReadRepositoryPermission(repo.namespace_user.username, repo.name).can() or
model.repository.repository_is_public(repo.namespace_user.username, repo.name)):
has_permission = True
if not has_permission:
abort(403)
# If the logs have been archived, just return a URL of the completed archive
@ -368,7 +374,7 @@ def buildlogs(build_uuid):
@web.route('/logarchive/<file_id>', methods=['GET'])
@route_show_if(features.BUILD_SUPPORT)
@require_session_login
@process_auth_or_cookie
def logarchive(file_id):
JSON_MIMETYPE = 'application/json'
try:
@ -378,7 +384,13 @@ def logarchive(file_id):
abort(403)
repo = found_build.repository
if not ModifyRepositoryPermission(repo.namespace_user.username, repo.name).can():
has_permission = ModifyRepositoryPermission(repo.namespace_user.username, repo.name).can()
if features.READER_BUILD_LOGS and not has_permission:
if (ReadRepositoryPermission(repo.namespace_user.username, repo.name).can() or
model.repository.repository_is_public(repo.namespace_user.username, repo.name)):
has_permission = True
if not has_permission:
abort(403)
try:

4
test/test_endpoints.py
View file

@ -145,7 +145,7 @@ class BuildLogsTestCase(EndpointTestCase):
self.getResponse('web.buildlogs', build_uuid='bad_build_uuid', expected_code=400)
def test_buildlogs_not_logged_in(self):
self.getResponse('web.buildlogs', build_uuid=self.build_uuid, expected_code=401)
self.getResponse('web.buildlogs', build_uuid=self.build_uuid, expected_code=403)
def test_buildlogs_unauthorized(self):
self.login('reader', 'password')
@ -171,7 +171,7 @@ class ArchivedLogsTestCase(EndpointTestCase):
self.getResponse('web.logarchive', file_id='bad_build_uuid', expected_code=403)
def test_logarchive_not_logged_in(self):
self.getResponse('web.logarchive', file_id=self.build_uuid, expected_code=401)
self.getResponse('web.logarchive', file_id=self.build_uuid, expected_code=403)
def test_logarchive_unauthorized(self):
self.login('reader', 'password')