kallithea Changeset - 959e009afcae

Changeset - 959e009afcae

Parent rev.

Child rev.

[Not reviewed]

stable

0 2 0

Mads Kiilerich - 8 years ago 2018-05-07 00:49:44
mads@kiilerich.com

repos: add missing access control check for repository permission management

This issue was found and reported by
Kacper Szurek
https://security.szurek.pl/

2 files changed with 8 insertions and 6 deletions:

kallithea/controllers/admin/repos.py

kallithea/tests/functional/test_admin_permissions.py

0 comments (0 inline, 0 general)

kallithea/controllers/admin/repos.py

➞

Show inline comments

@@ @@ -363,6 +363,7 @@ class ReposController(BaseRepoController @@
             encoding="UTF-8",
             force_defaults=False)
     @HasRepoPermissionAllDecorator('repository.admin')
     def edit_permissions_update(self, repo_name):
         form = RepoPermsForm()().to_python(request.POST)
         RepoModel()._update_permissions(repo_name, form['perms_new'],
@@ @@ -374,6 +375,7 @@ class ReposController(BaseRepoController @@
         h.flash(_('Repository permissions updated'), category='success')
         return redirect(url('edit_repo_perms', repo_name=repo_name))
     @HasRepoPermissionAllDecorator('repository.admin')
     def edit_permissions_revoke(self, repo_name):
         try:
             obj_type = request.POST.get('obj_type')

kallithea/tests/functional/test_admin_permissions.py

➞

Show inline comments

@@ @@ -49,8 +49,7 @@ class TestAdminPermissionsController(Tes @@
     def test_edit_permissions_permissions(self):
         user = User.get_by_username(TEST_USER_REGULAR_LOGIN)
         # Test unauthenticated access
         # FIXME: access without authentication
         # Test unauthenticated access - it will redirect to login page
         response = self.app.post(
             url('edit_repo_perms_update', repo_name=HG_REPO),
             params=dict(
@@ @@ -61,9 +60,9 @@ class TestAdminPermissionsController(Tes @@
                 _authentication_token=self.authentication_token()),
             status=302)
         assert response.location.endswith(url('edit_repo_perms_update', repo_name=HG_REPO))
         assert not response.location.endswith(url('edit_repo_perms_update', repo_name=HG_REPO))
         assert response.location.endswith(url('login_home', came_from=url('edit_repo_perms_update', repo_name=HG_REPO)))
         # FIXME: access without authentication
         response = self.app.post(
             url('edit_repo_perms_revoke', repo_name=HG_REPO),
             params=dict(
@@ @@ -71,8 +70,9 @@ class TestAdminPermissionsController(Tes @@
                 obj_type='user',
                 user_id=user.user_id,
                 _authentication_token=self.authentication_token()),
             status=200) # success has no content
         assert not response.body
             status=302)
         assert response.location.endswith(url('login_home', came_from=url('edit_repo_perms_update', repo_name=HG_REPO)))
         # Test authenticated access
         self.log_user()

0 comments (0 inline, 0 general)