Changeset - 0b7b52bfaf5d
Parent rev.
Child rev.
[Not reviewed]
stable
0 2 0
Mads Kiilerich - 10 years ago 2015-07-07 02:25:59
madski@unity3d.com
api: make update_repo check permissions to check owner like create_repo does

Close loophole for reassigning repository owners.

Test by Thomas De Schampheleire.
2 files changed with 22 insertions and 0 deletions:
kallithea/controllers/api/api.py
6
kallithea/tests/api/api_base.py
16
0 comments (0 inline, 0 general)
kallithea/controllers/api/api.py
Show inline comments
 
@@ -1561,6 +1561,12 @@ class ApiController(JSONRPCController):
 
                ):
 
                raise JSONRPCError('no permission to create (or move) repositories')
 

			




	
	
	
		
 
            if not isinstance(owner, Optional):

			




	
	
	
		
 
                #forbid setting owner for non-admins

			




	
	
	
		
 
                raise JSONRPCError(

			




	
	
	
		
 
                    'Only Kallithea admin can specify `owner` param'

			




	
	
	
		
 
                )

			




	
	
	
		
 

			




	
	
	
		
 
        updates = {

			




	
	
	
		
 
            # update function requires this.

			




	
	
	
		
 
            'repo_name': repo.repo_name

			




        

    


    
    

    

        

                

                    kallithea/tests/api/api_base.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -1221,6 +1221,22 @@ class BaseTestApi(object):

			




	
	
	
		
 
            fixture.destroy_repo(repo_name)

			




	
	
	
		
 
            fixture.destroy_repo(new_repo_name)

			




	
	
	
		
 

			




	
	
	
		
 
    def test_api_update_repo_regular_user_change_owner(self):

			




	
	
	
		
 
        repo_name = 'admin_owned'

			




	
	
	
		
 
        fixture.create_repo(repo_name, repo_type=self.REPO_TYPE)

			




	
	
	
		
 
        RepoModel().grant_user_permission(repo=repo_name,

			




	
	
	
		
 
                                          user=self.TEST_USER_LOGIN,

			




	
	
	
		
 
                                          perm='repository.admin')

			




	
	
	
		
 
        updates = {'owner': TEST_USER_ADMIN_LOGIN}

			




	
	
	
		
 
        id_, params = _build_data(self.apikey_regular, 'update_repo',

			




	
	
	
		
 
                                  repoid=repo_name, **updates)

			




	
	
	
		
 
        response = api_call(self, params)

			




	
	
	
		
 
        try:

			




	
	
	
		
 
            expected = 'Only Kallithea admin can specify `owner` param'

			




	
	
	
		
 
            self._compare_error(id_, expected, given=response.body)

			




	
	
	
		
 
        finally:

			




	
	
	
		
 
            fixture.destroy_repo(repo_name)

			




	
	
	
		
 

			




	
	
	
		
 
    def test_api_delete_repo(self):

			




	
	
	
		
 
        repo_name = 'api_delete_me'

			




	
	
	
		
 
        fixture.create_repo(repo_name, repo_type=self.REPO_TYPE)

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.