kallithea Changeset - 1aefa8d864e4

Changeset - 1aefa8d864e4

Parent rev.

Child rev.

[Not reviewed]

beta

0 2 0

Marcin Kuzminski - 12 years ago 2013-05-17 21:12:54
marcin@python-works.com

Do read only checks on attach as fork of repo list.
We shouldn't leak repo names here to which we don't
have access

2 files changed with 16 insertions and 3 deletions:

rhodecode/controllers/admin/repos.py

rhodecode/model/scm.py

0 comments (0 inline, 0 general)

rhodecode/controllers/admin/repos.py

➞

Show inline comments

@@ @@ -46,7 +46,7 @@ from rhodecode.model.meta import Session @@
 from rhodecode.model.db import User, Repository, UserFollowing, RepoGroup,\
     RhodeCodeSetting, RepositoryField
 from rhodecode.model.forms import RepoForm, RepoFieldForm, RepoPermsForm
 from rhodecode.model.scm import ScmModel, RepoGroupList
+from rhodecode.model.scm import ScmModel, RepoGroupList, RepoList
 from rhodecode.model.repo import RepoModel
 from rhodecode.lib.compat import json
 from sqlalchemy.sql.expression import func
@@ @@ -123,9 +123,11 @@ class ReposController(BaseRepoController @@
         defaults = RepoModel()._get_defaults(repo_name)
         _repos = Repository.query().order_by(Repository.repo_name).all()
         read_access_repos = RepoList(_repos)
         c.repos_list = [('', _('--REMOVE FORK--'))]
         c.repos_list += [(x.repo_id, x.repo_name) for x in
                     Repository.query().order_by(Repository.repo_name).all()
         c.repos_list += [(x.repo_id, x.repo_name)
                          for x in read_access_repos
                     if x.repo_id != c.repo_info.repo_id]
         defaults['id_fork_of'] = db_repo.fork.repo_id if db_repo.fork else ''

rhodecode/model/scm.py

➞

Show inline comments

@@ @@ -197,6 +197,17 @@ class _PermCheckIterator(object): @@
             yield db_obj
 class RepoList(_PermCheckIterator):
     def __init__(self, db_repo_list, perm_set=None):
         if not perm_set:
             perm_set = ['repository.read', 'repository.write', 'repository.admin']
         super(RepoList, self).__init__(obj_list=db_repo_list,
                     obj_attr='repo_name', perm_set=perm_set,
                     perm_checker=HasRepoPermissionAny)
 class RepoGroupList(_PermCheckIterator):
     def __init__(self, db_repo_group_list, perm_set=None):

0 comments (0 inline, 0 general)