From: Abdun Nihaal <abdun.nihaal@gmail.com>
Date: Wed, 16 Apr 2025 16:32:36 +0000 (+0530)
Subject: Prevent any user from updating public bundles
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fc278e2c551be25dc3c5d0e9ed646f0a149d131a;p=thirdparty%2Fpatchwork.git

Prevent any user from updating public bundles

Currently, the web UI allows any logged in user to remove patches from
public bundles. However the correct behaviour is that only the owner of
the bundle should be allowed to update a bundle.

Fix that by adding checks in set_bundle() before adding or removing
patches from bundles.

Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
Closes: #599
---

diff --git a/patchwork/views/__init__.py b/patchwork/views/__init__.py
index db484c79..92adbbcc 100644
--- a/patchwork/views/__init__.py
+++ b/patchwork/views/__init__.py
@@ -135,9 +135,13 @@ def set_bundle(request, project, action, data, patches):
         if not data['bundle_id']:
             return ['No bundle was selected']
         bundle = get_object_or_404(Bundle, id=data['bundle_id'])
+        if request.user != bundle.owner:
+            return ["You don't have permissions to add patches to bundle"]
         add_bundle_patches(request, patches, bundle)
     elif action == 'remove':
         bundle = get_object_or_404(Bundle, id=data['removed_bundle_id'])
+        if request.user != bundle.owner:
+            return ["You don't have permissions to remove patches from bundle"]
         for patch in patches:
             try:
                 bp = BundlePatch.objects.get(bundle=bundle, patch=patch)