Fix permissions on accessing archived logs
This commit is contained in:
parent
46e1bd9c75
commit
464bccb5a0
2 changed files with 18 additions and 6 deletions
|
@ -343,14 +343,20 @@ def sitemap():
|
||||||
|
|
||||||
@web.route('/buildlogs/<build_uuid>', methods=['GET'])
|
@web.route('/buildlogs/<build_uuid>', methods=['GET'])
|
||||||
@route_show_if(features.BUILD_SUPPORT)
|
@route_show_if(features.BUILD_SUPPORT)
|
||||||
@require_session_login
|
@process_auth_or_cookie
|
||||||
def buildlogs(build_uuid):
|
def buildlogs(build_uuid):
|
||||||
found_build = model.build.get_repository_build(build_uuid)
|
found_build = model.build.get_repository_build(build_uuid)
|
||||||
if not found_build:
|
if not found_build:
|
||||||
abort(403)
|
abort(403)
|
||||||
|
|
||||||
repo = found_build.repository
|
repo = found_build.repository
|
||||||
if not ModifyRepositoryPermission(repo.namespace_user.username, repo.name).can():
|
has_permission = ModifyRepositoryPermission(repo.namespace_user.username, repo.name).can()
|
||||||
|
if features.READER_BUILD_LOGS and not has_permission:
|
||||||
|
if (ReadRepositoryPermission(repo.namespace_user.username, repo.name).can() or
|
||||||
|
model.repository.repository_is_public(repo.namespace_user.username, repo.name)):
|
||||||
|
has_permission = True
|
||||||
|
|
||||||
|
if not has_permission:
|
||||||
abort(403)
|
abort(403)
|
||||||
|
|
||||||
# If the logs have been archived, just return a URL of the completed archive
|
# If the logs have been archived, just return a URL of the completed archive
|
||||||
|
@ -368,7 +374,7 @@ def buildlogs(build_uuid):
|
||||||
|
|
||||||
@web.route('/logarchive/<file_id>', methods=['GET'])
|
@web.route('/logarchive/<file_id>', methods=['GET'])
|
||||||
@route_show_if(features.BUILD_SUPPORT)
|
@route_show_if(features.BUILD_SUPPORT)
|
||||||
@require_session_login
|
@process_auth_or_cookie
|
||||||
def logarchive(file_id):
|
def logarchive(file_id):
|
||||||
JSON_MIMETYPE = 'application/json'
|
JSON_MIMETYPE = 'application/json'
|
||||||
try:
|
try:
|
||||||
|
@ -378,7 +384,13 @@ def logarchive(file_id):
|
||||||
abort(403)
|
abort(403)
|
||||||
|
|
||||||
repo = found_build.repository
|
repo = found_build.repository
|
||||||
if not ModifyRepositoryPermission(repo.namespace_user.username, repo.name).can():
|
has_permission = ModifyRepositoryPermission(repo.namespace_user.username, repo.name).can()
|
||||||
|
if features.READER_BUILD_LOGS and not has_permission:
|
||||||
|
if (ReadRepositoryPermission(repo.namespace_user.username, repo.name).can() or
|
||||||
|
model.repository.repository_is_public(repo.namespace_user.username, repo.name)):
|
||||||
|
has_permission = True
|
||||||
|
|
||||||
|
if not has_permission:
|
||||||
abort(403)
|
abort(403)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
|
|
|
@ -145,7 +145,7 @@ class BuildLogsTestCase(EndpointTestCase):
|
||||||
self.getResponse('web.buildlogs', build_uuid='bad_build_uuid', expected_code=400)
|
self.getResponse('web.buildlogs', build_uuid='bad_build_uuid', expected_code=400)
|
||||||
|
|
||||||
def test_buildlogs_not_logged_in(self):
|
def test_buildlogs_not_logged_in(self):
|
||||||
self.getResponse('web.buildlogs', build_uuid=self.build_uuid, expected_code=401)
|
self.getResponse('web.buildlogs', build_uuid=self.build_uuid, expected_code=403)
|
||||||
|
|
||||||
def test_buildlogs_unauthorized(self):
|
def test_buildlogs_unauthorized(self):
|
||||||
self.login('reader', 'password')
|
self.login('reader', 'password')
|
||||||
|
@ -171,7 +171,7 @@ class ArchivedLogsTestCase(EndpointTestCase):
|
||||||
self.getResponse('web.logarchive', file_id='bad_build_uuid', expected_code=403)
|
self.getResponse('web.logarchive', file_id='bad_build_uuid', expected_code=403)
|
||||||
|
|
||||||
def test_logarchive_not_logged_in(self):
|
def test_logarchive_not_logged_in(self):
|
||||||
self.getResponse('web.logarchive', file_id=self.build_uuid, expected_code=401)
|
self.getResponse('web.logarchive', file_id=self.build_uuid, expected_code=403)
|
||||||
|
|
||||||
def test_logarchive_unauthorized(self):
|
def test_logarchive_unauthorized(self):
|
||||||
self.login('reader', 'password')
|
self.login('reader', 'password')
|
||||||
|
|
Reference in a new issue