kallithea Changeset - 72bed56219d6

Changeset - 72bed56219d6

Parent rev.

Child rev.

[Not reviewed]

default

0 1 0

Marcin Kuzminski - 15 years ago 2010-10-18 03:06:38
marcin@python-works.com

security bugfix simplehg wasn't checking for permissions on remote commands different than pull or push.

1 file changed with 15 insertions and 11 deletions:

rhodecode/lib/middleware/simplehg.py

0 comments (0 inline, 0 general)

rhodecode/lib/middleware/simplehg.py

➞

Show inline comments

@@ @@ -87,14 +87,16 @@ class SimpleHg(object): @@
                 log.error(traceback.format_exc())
                 return HTTPInternalServerError()(environ, start_response)
             #check permissions for this repository
             if action == 'pull':
                 if not HasPermissionAnyMiddleware('repository.read',
                                                   'repository.write',
             if action == 'push':
                 if not HasPermissionAnyMiddleware('repository.write',
                                                   'repository.admin')\
                                                     (user, repo_name):
                     return HTTPForbidden()(environ, start_response)
             if action == 'push':
                 if not HasPermissionAnyMiddleware('repository.write',
             else:
                 if not HasPermissionAnyMiddleware('repository.read',
                                                   'repository.write',
                                                   'repository.admin')\
                                                     (user, repo_name):
                     return HTTPForbidden()(environ, start_response)
@@ @@ -141,9 +143,9 @@ class SimpleHg(object): @@
         Wrapper for custom messages that come out of mercurial respond messages
         is a list of messages that the user will see at the end of response
         from merurial protocol actions that involves remote answers
         @param app:
         @param environ:
         @param start_response:
         :param app:
         :param environ:
         :param start_response:
         """
         def custom_messages(msg_list):
             for msg in msg_list:
@@ @@ -164,7 +166,8 @@ class SimpleHg(object): @@
     def __get_action(self, environ):
         """
         Maps mercurial request commands into a pull or push command.
         @param environ:
         This should return generally always something
         :param environ:
         """
         mapping = {'changegroup': 'pull',
                    'changegroupsubset': 'pull',
@@ @@ -172,12 +175,13 @@ class SimpleHg(object): @@
                    'listkeys': 'pull',
                    'unbundle': 'push',
                    'pushkey': 'push', }
         for qry in environ['QUERY_STRING'].split('&'):
             if qry.startswith('cmd'):
                 cmd = qry.split('=')[-1]
                 if mapping.has_key(cmd):
                     return mapping[cmd]
                 else:
                     return cmd
     def __log_user_action(self, user, action, repo, ipaddr):
         action_logger(user, action, repo, ipaddr)
@@ @@ -191,7 +195,7 @@ class SimpleHg(object): @@
     def __load_web_settings(self, hgserve):
         #set the global ui for hgserve
+        #set the global ui for hgserve instance passed
         hgserve.repo.ui = self.baseui
         hgrc = os.path.join(self.repo_path, '.hg', 'hgrc')

0 comments (0 inline, 0 general)