Mercurial > kallithea

changeset 3864:1aefa8d864e4 beta

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Do read only checks on attach as fork of repo list. We shouldn't leak repo names here to which we don't have access
author Marcin Kuzminski <marcin@python-works.com>
date Fri, 17 May 2013 21:12:54 +0200
parents 794e6eaad4aa
children 100be6988bb0
files rhodecode/controllers/admin/repos.py rhodecode/model/scm.py
diffstat 2 files changed, 17 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/rhodecode/controllers/admin/repos.py	Fri May 17 20:58:31 2013 +0200
+++ b/rhodecode/controllers/admin/repos.py	Fri May 17 21:12:54 2013 +0200
@@ -46,7 +46,7 @@
 from rhodecode.model.db import User, Repository, UserFollowing, RepoGroup,\
     RhodeCodeSetting, RepositoryField
 from rhodecode.model.forms import RepoForm, RepoFieldForm, RepoPermsForm
-from rhodecode.model.scm import ScmModel, RepoGroupList
+from rhodecode.model.scm import ScmModel, RepoGroupList, RepoList
 from rhodecode.model.repo import RepoModel
 from rhodecode.lib.compat import json
 from sqlalchemy.sql.expression import func
@@ -123,10 +123,12 @@
 
         defaults = RepoModel()._get_defaults(repo_name)
 
+        _repos = Repository.query().order_by(Repository.repo_name).all()
+        read_access_repos = RepoList(_repos)
         c.repos_list = [('', _('--REMOVE FORK--'))]
-        c.repos_list += [(x.repo_id, x.repo_name) for x in
-                    Repository.query().order_by(Repository.repo_name).all()
-                    if x.repo_id != c.repo_info.repo_id]
+        c.repos_list += [(x.repo_id, x.repo_name)
+                         for x in read_access_repos
+                         if x.repo_id != c.repo_info.repo_id]
 
         defaults['id_fork_of'] = db_repo.fork.repo_id if db_repo.fork else ''
         return defaults
--- a/rhodecode/model/scm.py	Fri May 17 20:58:31 2013 +0200
+++ b/rhodecode/model/scm.py	Fri May 17 21:12:54 2013 +0200
@@ -197,6 +197,17 @@
             yield db_obj
 
 
+class RepoList(_PermCheckIterator):
+
+    def __init__(self, db_repo_list, perm_set=None):
+        if not perm_set:
+            perm_set = ['repository.read', 'repository.write', 'repository.admin']
+
+        super(RepoList, self).__init__(obj_list=db_repo_list,
+                    obj_attr='repo_name', perm_set=perm_set,
+                    perm_checker=HasRepoPermissionAny)
+
+
 class RepoGroupList(_PermCheckIterator):
 
     def __init__(self, db_repo_group_list, perm_set=None):