kallithea Changeset - 0b7b52bfaf5d

Changeset - 0b7b52bfaf5d

Parent rev.

Child rev.

[Not reviewed]

stable

0 2 0

Mads Kiilerich - 10 years ago 2015-07-07 02:25:59
madski@unity3d.com

api: make update_repo check permissions to check owner like create_repo does

Close loophole for reassigning repository owners.

Test by Thomas De Schampheleire.

2 files changed with 22 insertions and 0 deletions:

kallithea/controllers/api/api.py

kallithea/tests/api/api_base.py

0 comments (0 inline, 0 general)

kallithea/controllers/api/api.py

➞

Show inline comments

@@ @@ -1558,12 +1558,18 @@ class ApiController(JSONRPCController): @@
             if (name != repo.repo_name and
                 not HasPermissionAnyApi('hg.create.repository')(user=apiuser)
                 ):
                 raise JSONRPCError('no permission to create (or move) repositories')
             if not isinstance(owner, Optional):
                 #forbid setting owner for non-admins
                 raise JSONRPCError(
                     'Only Kallithea admin can specify `owner` param'
+                )
         updates = {
             # update function requires this.
             'repo_name': repo.repo_name
+        }
         repo_group = group
         if not isinstance(repo_group, Optional):

kallithea/tests/api/api_base.py

➞

Show inline comments

@@ @@ -1218,12 +1218,28 @@ class BaseTestApi(object): @@
+            }
             self._compare_ok(id_, expected, given=response.body)
         finally:
             fixture.destroy_repo(repo_name)
             fixture.destroy_repo(new_repo_name)
     def test_api_update_repo_regular_user_change_owner(self):
         repo_name = 'admin_owned'
         fixture.create_repo(repo_name, repo_type=self.REPO_TYPE)
         RepoModel().grant_user_permission(repo=repo_name,
                                           user=self.TEST_USER_LOGIN,
                                           perm='repository.admin')
         updates = {'owner': TEST_USER_ADMIN_LOGIN}
         id_, params = _build_data(self.apikey_regular, 'update_repo',
                                   repoid=repo_name, **updates)
         response = api_call(self, params)
         try:
             expected = 'Only Kallithea admin can specify `owner` param'
             self._compare_error(id_, expected, given=response.body)
         finally:
             fixture.destroy_repo(repo_name)
     def test_api_delete_repo(self):
         repo_name = 'api_delete_me'
         fixture.create_repo(repo_name, repo_type=self.REPO_TYPE)
         id_, params = _build_data(self.apikey, 'delete_repo',
                                   repoid=repo_name, )

0 comments (0 inline, 0 general)