Changeset - 1aefa8d864e4
Parent rev.
Child rev.
[Not reviewed]
beta
0 2 0
Marcin Kuzminski - 13 years ago 2013-05-17 21:12:54
marcin@python-works.com
Do read only checks on attach as fork of repo list.
We shouldn't leak repo names here to which we don't
have access
2 files changed with 16 insertions and 3 deletions:
rhodecode/controllers/admin/repos.py
5
3
rhodecode/model/scm.py
11
0 comments (0 inline, 0 general)
rhodecode/controllers/admin/repos.py
Show inline comments
 
@@ -43,13 +43,13 @@ from rhodecode.lib.base import BaseRepoC
 
from rhodecode.lib.utils import action_logger, repo_name_slug
 
from rhodecode.lib.helpers import get_token
 
from rhodecode.model.meta import Session
 
from rhodecode.model.db import User, Repository, UserFollowing, RepoGroup,\
 
    RhodeCodeSetting, RepositoryField
 
from rhodecode.model.forms import RepoForm, RepoFieldForm, RepoPermsForm
 
from rhodecode.model.scm import ScmModel, RepoGroupList
 
from rhodecode.model.scm import ScmModel, RepoGroupList, RepoList
 
from rhodecode.model.repo import RepoModel
 
from rhodecode.lib.compat import json
 
from sqlalchemy.sql.expression import func
 
from rhodecode.lib.exceptions import AttachedForksError
 
from rhodecode.lib.utils2 import safe_int
 

			




	
	
		
 
@@ -120,15 +120,17 @@ class ReposController(BaseRepoController

			




	
	
	
		
 

			




	
	
	
		
 
        c.repo_fields = RepositoryField.query()\

			




	
	
	
		
 
            .filter(RepositoryField.repository == db_repo).all()

			




	
	
	
		
 

			




	
	
	
		
 
        defaults = RepoModel()._get_defaults(repo_name)

			




	
	
	
		
 

			




	
	
	
		
 
        _repos = Repository.query().order_by(Repository.repo_name).all()

			




	
	
	
		
 
        read_access_repos = RepoList(_repos)

			




	
	
	
		
 
        c.repos_list = [('', _('--REMOVE FORK--'))]

			




	
	
	
		
 
        c.repos_list += [(x.repo_id, x.repo_name) for x in

			




	
	
	
		
 
                    Repository.query().order_by(Repository.repo_name).all()

			




	
	
	
		
 
        c.repos_list += [(x.repo_id, x.repo_name)

			




	
	
	
		
 
                         for x in read_access_repos

			




	
	
	
		
 
                    if x.repo_id != c.repo_info.repo_id]

			




	
	
	
		
 

			




	
	
	
		
 
        defaults['id_fork_of'] = db_repo.fork.repo_id if db_repo.fork else ''

			




	
	
	
		
 
        return defaults

			




	
	
	
		
 

			




	
	
	
		
 
    @HasPermissionAllDecorator('hg.admin')

			




        

    


    
    

    

        

                

                    rhodecode/model/scm.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -194,12 +194,23 @@ class _PermCheckIterator(object):

			




	
	
	
		
 
            if not self.perm_checker(*self.perm_set)(name, self.__class__.__name__):

			




	
	
	
		
 
                continue

			




	
	
	
		
 

			




	
	
	
		
 
            yield db_obj

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class RepoList(_PermCheckIterator):

			




	
	
	
		
 

			




	
	
	
		
 
    def __init__(self, db_repo_list, perm_set=None):

			




	
	
	
		
 
        if not perm_set:

			




	
	
	
		
 
            perm_set = ['repository.read', 'repository.write', 'repository.admin']

			




	
	
	
		
 

			




	
	
	
		
 
        super(RepoList, self).__init__(obj_list=db_repo_list,

			




	
	
	
		
 
                    obj_attr='repo_name', perm_set=perm_set,

			




	
	
	
		
 
                    perm_checker=HasRepoPermissionAny)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class RepoGroupList(_PermCheckIterator):

			




	
	
	
		
 

			




	
	
	
		
 
    def __init__(self, db_repo_group_list, perm_set=None):

			




	
	
	
		
 
        if not perm_set:

			




	
	
	
		
 
            perm_set = ['group.read', 'group.write', 'group.admin']

			




	
	
	
		
 

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.