Changeset - 1aefa8d864e4
Parent rev.
Child rev.
[Not reviewed]
beta
0 2 0
Marcin Kuzminski - 13 years ago 2013-05-17 21:12:54
marcin@python-works.com
Do read only checks on attach as fork of repo list.
We shouldn't leak repo names here to which we don't
have access
2 files changed with 16 insertions and 3 deletions:
rhodecode/controllers/admin/repos.py
5
3
rhodecode/model/scm.py
11
0 comments (0 inline, 0 general)
rhodecode/controllers/admin/repos.py
Show inline comments
 
@@ -37,25 +37,25 @@ from sqlalchemy.exc import IntegrityErro
 
import rhodecode
 
from rhodecode.lib import helpers as h
 
from rhodecode.lib.auth import LoginRequired, HasPermissionAllDecorator, \
 
    HasPermissionAnyDecorator, HasRepoPermissionAllDecorator, NotAnonymous,\
 
    HasPermissionAny, HasReposGroupPermissionAny, HasRepoPermissionAnyDecorator
 
from rhodecode.lib.base import BaseRepoController, render
 
from rhodecode.lib.utils import action_logger, repo_name_slug
 
from rhodecode.lib.helpers import get_token
 
from rhodecode.model.meta import Session
 
from rhodecode.model.db import User, Repository, UserFollowing, RepoGroup,\
 
    RhodeCodeSetting, RepositoryField
 
from rhodecode.model.forms import RepoForm, RepoFieldForm, RepoPermsForm
 
from rhodecode.model.scm import ScmModel, RepoGroupList
 
from rhodecode.model.scm import ScmModel, RepoGroupList, RepoList
 
from rhodecode.model.repo import RepoModel
 
from rhodecode.lib.compat import json
 
from sqlalchemy.sql.expression import func
 
from rhodecode.lib.exceptions import AttachedForksError
 
from rhodecode.lib.utils2 import safe_int
 

			




	
	
	
		
 
log = logging.getLogger(__name__)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class ReposController(BaseRepoController):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    REST Controller styled on the Atom Publishing Protocol"""

			




	
	
		
 
@@ -114,27 +114,29 @@ class ReposController(BaseRepoController

			




	
	
	
		
 

			




	
	
	
		
 
        if last_rev == 0 or c.repo_last_rev == 0:

			




	
	
	
		
 
            c.stats_percentage = 0

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            c.stats_percentage = '%.2f' % ((float((last_rev)) /

			




	
	
	
		
 
                                            c.repo_last_rev) * 100)

			




	
	
	
		
 

			




	
	
	
		
 
        c.repo_fields = RepositoryField.query()\

			




	
	
	
		
 
            .filter(RepositoryField.repository == db_repo).all()

			




	
	
	
		
 

			




	
	
	
		
 
        defaults = RepoModel()._get_defaults(repo_name)

			




	
	
	
		
 

			




	
	
	
		
 
        _repos = Repository.query().order_by(Repository.repo_name).all()

			




	
	
	
		
 
        read_access_repos = RepoList(_repos)

			




	
	
	
		
 
        c.repos_list = [('', _('--REMOVE FORK--'))]

			




	
	
	
		
 
        c.repos_list += [(x.repo_id, x.repo_name) for x in

			




	
	
	
		
 
                    Repository.query().order_by(Repository.repo_name).all()

			




	
	
	
		
 
        c.repos_list += [(x.repo_id, x.repo_name)

			




	
	
	
		
 
                         for x in read_access_repos

			




	
	
	
		
 
                    if x.repo_id != c.repo_info.repo_id]

			




	
	
	
		
 

			




	
	
	
		
 
        defaults['id_fork_of'] = db_repo.fork.repo_id if db_repo.fork else ''

			




	
	
	
		
 
        return defaults

			




	
	
	
		
 

			




	
	
	
		
 
    @HasPermissionAllDecorator('hg.admin')

			




	
	
	
		
 
    def index(self, format='html'):

			




	
	
	
		
 
        """GET /repos: All items in the collection"""

			




	
	
	
		
 
        # url('repos')

			




	
	
	
		
 

			




	
	
	
		
 
        c.repos_list = Repository.query()\

			




	
	
	
		
 
                        .order_by(func.lower(Repository.repo_name))\

			




        

    


    
    

    

        

                

                    rhodecode/model/scm.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -188,24 +188,35 @@ class _PermCheckIterator(object):

			




	
	
	
		
 
        return '<%s (%s)>' % (self.__class__.__name__, self.__len__())

			




	
	
	
		
 

			




	
	
	
		
 
    def __iter__(self):

			




	
	
	
		
 
        for db_obj in self.obj_list:

			




	
	
	
		
 
            # check permission at this level

			




	
	
	
		
 
            name = getattr(db_obj, self.obj_attr, None)

			




	
	
	
		
 
            if not self.perm_checker(*self.perm_set)(name, self.__class__.__name__):

			




	
	
	
		
 
                continue

			




	
	
	
		
 

			




	
	
	
		
 
            yield db_obj

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class RepoList(_PermCheckIterator):

			




	
	
	
		
 

			




	
	
	
		
 
    def __init__(self, db_repo_list, perm_set=None):

			




	
	
	
		
 
        if not perm_set:

			




	
	
	
		
 
            perm_set = ['repository.read', 'repository.write', 'repository.admin']

			




	
	
	
		
 

			




	
	
	
		
 
        super(RepoList, self).__init__(obj_list=db_repo_list,

			




	
	
	
		
 
                    obj_attr='repo_name', perm_set=perm_set,

			




	
	
	
		
 
                    perm_checker=HasRepoPermissionAny)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class RepoGroupList(_PermCheckIterator):

			




	
	
	
		
 

			




	
	
	
		
 
    def __init__(self, db_repo_group_list, perm_set=None):

			




	
	
	
		
 
        if not perm_set:

			




	
	
	
		
 
            perm_set = ['group.read', 'group.write', 'group.admin']

			




	
	
	
		
 

			




	
	
	
		
 
        super(RepoGroupList, self).__init__(obj_list=db_repo_group_list,

			




	
	
	
		
 
                    obj_attr='group_name', perm_set=perm_set,

			




	
	
	
		
 
                    perm_checker=HasReposGroupPermissionAny)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class UserGroupList(_PermCheckIterator):

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.