Mercurial > kallithea
changeset 3864:1aefa8d864e4 beta
Do read only checks on attach as fork of repo list.
We shouldn't leak repo names here to which we don't
have access
author | Marcin Kuzminski <marcin@python-works.com> |
---|---|
date | Fri, 17 May 2013 21:12:54 +0200 |
parents | 794e6eaad4aa |
children | 100be6988bb0 |
files | rhodecode/controllers/admin/repos.py rhodecode/model/scm.py |
diffstat | 2 files changed, 17 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/rhodecode/controllers/admin/repos.py Fri May 17 20:58:31 2013 +0200 +++ b/rhodecode/controllers/admin/repos.py Fri May 17 21:12:54 2013 +0200 @@ -46,7 +46,7 @@ from rhodecode.model.db import User, Repository, UserFollowing, RepoGroup,\ RhodeCodeSetting, RepositoryField from rhodecode.model.forms import RepoForm, RepoFieldForm, RepoPermsForm -from rhodecode.model.scm import ScmModel, RepoGroupList +from rhodecode.model.scm import ScmModel, RepoGroupList, RepoList from rhodecode.model.repo import RepoModel from rhodecode.lib.compat import json from sqlalchemy.sql.expression import func @@ -123,10 +123,12 @@ defaults = RepoModel()._get_defaults(repo_name) + _repos = Repository.query().order_by(Repository.repo_name).all() + read_access_repos = RepoList(_repos) c.repos_list = [('', _('--REMOVE FORK--'))] - c.repos_list += [(x.repo_id, x.repo_name) for x in - Repository.query().order_by(Repository.repo_name).all() - if x.repo_id != c.repo_info.repo_id] + c.repos_list += [(x.repo_id, x.repo_name) + for x in read_access_repos + if x.repo_id != c.repo_info.repo_id] defaults['id_fork_of'] = db_repo.fork.repo_id if db_repo.fork else '' return defaults
--- a/rhodecode/model/scm.py Fri May 17 20:58:31 2013 +0200 +++ b/rhodecode/model/scm.py Fri May 17 21:12:54 2013 +0200 @@ -197,6 +197,17 @@ yield db_obj +class RepoList(_PermCheckIterator): + + def __init__(self, db_repo_list, perm_set=None): + if not perm_set: + perm_set = ['repository.read', 'repository.write', 'repository.admin'] + + super(RepoList, self).__init__(obj_list=db_repo_list, + obj_attr='repo_name', perm_set=perm_set, + perm_checker=HasRepoPermissionAny) + + class RepoGroupList(_PermCheckIterator): def __init__(self, db_repo_group_list, perm_set=None):