Mercurial > kallithea
changeset 5223:0b7b52bfaf5d stable
api: make update_repo check permissions to check owner like create_repo does
Close loophole for reassigning repository owners.
Test by Thomas De Schampheleire.
| author | Mads Kiilerich <madski@unity3d.com> |
|---|---|
| date | Tue, 07 Jul 2015 02:25:59 +0200 |
| parents | 6620542597d3 |
| children | 2906653151bf |
| files | kallithea/controllers/api/api.py kallithea/tests/api/api_base.py |
| diffstat | 2 files changed, 22 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/controllers/api/api.py Tue Jul 07 02:25:59 2015 +0200 +++ b/kallithea/controllers/api/api.py Tue Jul 07 02:25:59 2015 +0200 @@ -1561,6 +1561,12 @@ ): raise JSONRPCError('no permission to create (or move) repositories') + if not isinstance(owner, Optional): + #forbid setting owner for non-admins + raise JSONRPCError( + 'Only Kallithea admin can specify `owner` param' + ) + updates = { # update function requires this. 'repo_name': repo.repo_name
--- a/kallithea/tests/api/api_base.py Tue Jul 07 02:25:59 2015 +0200 +++ b/kallithea/tests/api/api_base.py Tue Jul 07 02:25:59 2015 +0200 @@ -1221,6 +1221,22 @@ fixture.destroy_repo(repo_name) fixture.destroy_repo(new_repo_name) + def test_api_update_repo_regular_user_change_owner(self): + repo_name = 'admin_owned' + fixture.create_repo(repo_name, repo_type=self.REPO_TYPE) + RepoModel().grant_user_permission(repo=repo_name, + user=self.TEST_USER_LOGIN, + perm='repository.admin') + updates = {'owner': TEST_USER_ADMIN_LOGIN} + id_, params = _build_data(self.apikey_regular, 'update_repo', + repoid=repo_name, **updates) + response = api_call(self, params) + try: + expected = 'Only Kallithea admin can specify `owner` param' + self._compare_error(id_, expected, given=response.body) + finally: + fixture.destroy_repo(repo_name) + def test_api_delete_repo(self): repo_name = 'api_delete_me' fixture.create_repo(repo_name, repo_type=self.REPO_TYPE)