Mercurial > kallithea

changeset 7308:959e009afcae stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
repos: add missing access control check for repository permission management This issue was found and reported by Kacper Szurek https://security.szurek.pl/
author Mads Kiilerich <mads@kiilerich.com>
date Mon, 07 May 2018 00:49:44 +0200
parents 92c573bd63cb
children f359ebe73041
files kallithea/controllers/admin/repos.py kallithea/tests/functional/test_admin_permissions.py
diffstat 2 files changed, 8 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/controllers/admin/repos.py	Mon May 07 00:49:44 2018 +0200
+++ b/kallithea/controllers/admin/repos.py	Mon May 07 00:49:44 2018 +0200
@@ -363,6 +363,7 @@
             encoding="UTF-8",
             force_defaults=False)
 
+    @HasRepoPermissionAllDecorator('repository.admin')
     def edit_permissions_update(self, repo_name):
         form = RepoPermsForm()().to_python(request.POST)
         RepoModel()._update_permissions(repo_name, form['perms_new'],
@@ -374,6 +375,7 @@
         h.flash(_('Repository permissions updated'), category='success')
         return redirect(url('edit_repo_perms', repo_name=repo_name))
 
+    @HasRepoPermissionAllDecorator('repository.admin')
     def edit_permissions_revoke(self, repo_name):
         try:
             obj_type = request.POST.get('obj_type')
--- a/kallithea/tests/functional/test_admin_permissions.py	Mon May 07 00:49:44 2018 +0200
+++ b/kallithea/tests/functional/test_admin_permissions.py	Mon May 07 00:49:44 2018 +0200
@@ -49,8 +49,7 @@
     def test_edit_permissions_permissions(self):
         user = User.get_by_username(TEST_USER_REGULAR_LOGIN)
 
-        # Test unauthenticated access
-        # FIXME: access without authentication
+        # Test unauthenticated access - it will redirect to login page
         response = self.app.post(
             url('edit_repo_perms_update', repo_name=HG_REPO),
             params=dict(
@@ -61,9 +60,9 @@
                 _authentication_token=self.authentication_token()),
             status=302)
 
-        assert response.location.endswith(url('edit_repo_perms_update', repo_name=HG_REPO))
+        assert not response.location.endswith(url('edit_repo_perms_update', repo_name=HG_REPO))
+        assert response.location.endswith(url('login_home', came_from=url('edit_repo_perms_update', repo_name=HG_REPO)))
 
-        # FIXME: access without authentication
         response = self.app.post(
             url('edit_repo_perms_revoke', repo_name=HG_REPO),
             params=dict(
@@ -71,8 +70,9 @@
                 obj_type='user',
                 user_id=user.user_id,
                 _authentication_token=self.authentication_token()),
-            status=200) # success has no content
-        assert not response.body
+            status=302)
+
+        assert response.location.endswith(url('login_home', came_from=url('edit_repo_perms_update', repo_name=HG_REPO)))
 
         # Test authenticated access
         self.log_user()