# HG changeset patch
# User Søren Løvborg <sorenl@unity3d.com>
# Date 1461077858 -7200
# Node ID 81057be7a5c10e1cd08d32c923468e41cf417ed1
# Parent  93b512845dab0f6a950df7c5bb1ccdeaffd5e386
auth: properly invoke PermFunctions (CVE-2016-3114)

This fixes a vulnerability that allowed logged-in users to edit or
delete open pull requests associated with any repository to which
they had read access, plus a related vulnerability allowing logged-in
users to delete any comment from any repository, provided they could
determine the comment ID and had read access to just one repository.

diff -r 93b512845dab -r 81057be7a5c1 kallithea/controllers/changeset.py
--- a/kallithea/controllers/changeset.py	Mon Feb 22 10:18:27 2016 +0100
+++ b/kallithea/controllers/changeset.py	Tue Apr 19 16:57:38 2016 +0200
@@ -423,11 +423,11 @@
                                    'repository.admin')
     @jsonify
     def delete_comment(self, repo_name, comment_id):
-        co = ChangesetComment.get(comment_id)
-        if not co:
-            raise HTTPBadRequest()
+        co = ChangesetComment.get_or_404(comment_id)
+        if co.repo.repo_name != repo_name:
+            raise HTTPNotFound()
         owner = co.author.user_id == c.authuser.user_id
-        repo_admin = h.HasRepoPermissionAny('repository.admin')
+        repo_admin = h.HasRepoPermissionAny('repository.admin')(repo_name)
         if h.HasPermissionAny('hg.admin')() or repo_admin or owner:
             ChangesetCommentsModel().delete(comment=co)
             Session().commit()
diff -r 93b512845dab -r 81057be7a5c1 kallithea/controllers/pullrequests.py
--- a/kallithea/controllers/pullrequests.py	Mon Feb 22 10:18:27 2016 +0100
+++ b/kallithea/controllers/pullrequests.py	Tue Apr 19 16:57:38 2016 +0200
@@ -485,7 +485,7 @@
         #only owner or admin can update it
         owner = pull_request.owner.user_id == c.authuser.user_id
         repo_admin = h.HasRepoPermissionAny('repository.admin')(c.repo_name)
-        if not (h.HasPermissionAny('hg.admin') or repo_admin or owner):
+        if not (h.HasPermissionAny('hg.admin')() or repo_admin or owner):
             raise HTTPForbidden()
 
         _form = PullRequestPostForm()().to_python(request.POST)
@@ -788,7 +788,7 @@
 
         owner = co.author.user_id == c.authuser.user_id
         repo_admin = h.HasRepoPermissionAny('repository.admin')(c.repo_name)
-        if h.HasPermissionAny('hg.admin') or repo_admin or owner:
+        if h.HasPermissionAny('hg.admin')() or repo_admin or owner:
             ChangesetCommentsModel().delete(comment=co)
             Session().commit()
             return True