Mercurial > kallithea
changeset 7308:959e009afcae stable
repos: add missing access control check for repository permission management
This issue was found and reported by
Kacper Szurek
https://security.szurek.pl/
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Mon, 07 May 2018 00:49:44 +0200 |
parents | 92c573bd63cb |
children | f359ebe73041 |
files | kallithea/controllers/admin/repos.py kallithea/tests/functional/test_admin_permissions.py |
diffstat | 2 files changed, 8 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/controllers/admin/repos.py Mon May 07 00:49:44 2018 +0200 +++ b/kallithea/controllers/admin/repos.py Mon May 07 00:49:44 2018 +0200 @@ -363,6 +363,7 @@ encoding="UTF-8", force_defaults=False) + @HasRepoPermissionAllDecorator('repository.admin') def edit_permissions_update(self, repo_name): form = RepoPermsForm()().to_python(request.POST) RepoModel()._update_permissions(repo_name, form['perms_new'], @@ -374,6 +375,7 @@ h.flash(_('Repository permissions updated'), category='success') return redirect(url('edit_repo_perms', repo_name=repo_name)) + @HasRepoPermissionAllDecorator('repository.admin') def edit_permissions_revoke(self, repo_name): try: obj_type = request.POST.get('obj_type')
--- a/kallithea/tests/functional/test_admin_permissions.py Mon May 07 00:49:44 2018 +0200 +++ b/kallithea/tests/functional/test_admin_permissions.py Mon May 07 00:49:44 2018 +0200 @@ -49,8 +49,7 @@ def test_edit_permissions_permissions(self): user = User.get_by_username(TEST_USER_REGULAR_LOGIN) - # Test unauthenticated access - # FIXME: access without authentication + # Test unauthenticated access - it will redirect to login page response = self.app.post( url('edit_repo_perms_update', repo_name=HG_REPO), params=dict( @@ -61,9 +60,9 @@ _authentication_token=self.authentication_token()), status=302) - assert response.location.endswith(url('edit_repo_perms_update', repo_name=HG_REPO)) + assert not response.location.endswith(url('edit_repo_perms_update', repo_name=HG_REPO)) + assert response.location.endswith(url('login_home', came_from=url('edit_repo_perms_update', repo_name=HG_REPO))) - # FIXME: access without authentication response = self.app.post( url('edit_repo_perms_revoke', repo_name=HG_REPO), params=dict( @@ -71,8 +70,9 @@ obj_type='user', user_id=user.user_id, _authentication_token=self.authentication_token()), - status=200) # success has no content - assert not response.body + status=302) + + assert response.location.endswith(url('login_home', came_from=url('edit_repo_perms_update', repo_name=HG_REPO))) # Test authenticated access self.log_user()