Make sure to add primary repo permissions under a transaction

Should prevent a repository from being created under a user's namespace without a corresponding admin permission Fixes https://jira.coreos.com/browse/QUAY-826
2018-02-06 11:20:40 -05:00 · 2018-02-06 11:20:40 -05:00 · da0fa2e0d2
commit da0fa2e0d2
parent 00ae24cb2f
1 changed files with 14 additions and 12 deletions
--- a/data/model/repository.py
+++ b/data/model/repository.py
@ -38,21 +38,23 @@ def create_repository(namespace, name, creating_user, visibility='private', repo
  namespace_user = User.get(username=namespace)
  yesterday = datetime.now() - timedelta(days=1)

-  repo = Repository.create(name=name, visibility=Repository.visibility.get_id(visibility),
-                           namespace_user=namespace_user,
-                           kind=Repository.kind.get_id(repo_kind),
-                           description=description)
+  with db_transaction():
+    repo = Repository.create(name=name, visibility=Repository.visibility.get_id(visibility),
+                            namespace_user=namespace_user,
+                            kind=Repository.kind.get_id(repo_kind),
+                            description=description)

-  RepositoryActionCount.create(repository=repo, count=0, date=yesterday)
-  RepositorySearchScore.create(repository=repo, score=0)
+    RepositoryActionCount.create(repository=repo, count=0, date=yesterday)
+    RepositorySearchScore.create(repository=repo, score=0)

-  if creating_user and not creating_user.organization:
-    admin = Role.get(name='admin')
-    RepositoryPermission.create(user=creating_user, repository=repo, role=admin)
+    # Note: We put the admin create permission under the transaction to ensure it is created.
+    if creating_user and not creating_user.organization:
+      admin = Role.get(name='admin')
+      RepositoryPermission.create(user=creating_user, repository=repo, role=admin)

-    if creating_user.username != namespace:
-      # Permission prototypes only work for orgs
-      permission.apply_default_permissions(repo, creating_user)
+  # Apply default permissions (only occurs for repositories under organizations)
+  if creating_user and not creating_user.organization and creating_user.username != namespace:
+    permission.apply_default_permissions(repo, creating_user)

  return repo