From 3dea52c0bbdb968f1bd7986c545cc21dd286b053 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 21 Jan 2025 15:11:24 +0000 Subject: [PATCH] builders: Fix current user permission check Signed-off-by: Michael Tremer --- src/web/builders.py | 46 ++++++++++++++++++++++++++++++++++----------- 1 file changed, 35 insertions(+), 11 deletions(-) diff --git a/src/web/builders.py b/src/web/builders.py index 906ec170..2f0182f8 100644 --- a/src/web/builders.py +++ b/src/web/builders.py @@ -102,7 +102,7 @@ class ShowHandler(base.BaseHandler): class CreateHandler(base.BaseHandler): @base.authenticated - def get(self): + async def get(self): # Must be admin if not self.current_user.is_admin(): raise tornado.web.HTTPError(403) @@ -131,8 +131,11 @@ class EditHandler(base.BaseHandler): if not builder: raise tornado.web.HTTPError(404, "Builder not found") + # Fetch the current user + current_user = await self.get_current_user() + # Check permissions - if not builder.has_perm(self.current_user): + if not builder.has_perm(current_user): raise tornado.web.HTTPError(403) self.render("builders/edit.html", builder=builder) @@ -143,8 +146,11 @@ class EditHandler(base.BaseHandler): if not builder: raise tornado.web.HTTPError(404, "Builder not found: %s" % hostname) + # Fetch the current user + current_user = await self.get_current_user() + # Check permissions - if not builder.has_perm(self.current_user): + if not builder.has_perm(current_user): raise tornado.web.HTTPError(403) async with await self.db.transaction(): @@ -160,13 +166,16 @@ class EditHandler(base.BaseHandler): class DeleteHandler(base.BaseHandler): @base.authenticated - def get(self, name): + async def get(self, name): builder = self.backend.builders.get_by_name(name) if not builder: raise tornado.web.HTTPError(404, "Builder not found: %s" % name) + # Fetch the current user + current_user = await self.get_current_user() + # Check permissions - if not builder.has_perm(self.current_user): + if not builder.has_perm(current_user): raise tornado.web.HTTPError(403) self.render("builders/delete.html", builder=builder) @@ -177,8 +186,11 @@ class DeleteHandler(base.BaseHandler): if not builder: raise tornado.web.HTTPError(404, "Builder not found: %s" % hostname) + # Fetch the current user + current_user = await self.get_current_user() + # Check permissions - if not builder.has_perm(self.current_user): + if not builder.has_perm(current_user): raise tornado.web.HTTPError(403) # Delete the builder @@ -195,8 +207,11 @@ class StartHandler(base.BaseHandler): if not builder: raise tornado.web.HTTPError(404, "Builder not found: %s" % name) + # Fetch the current user + current_user = await self.get_current_user() + # Check permissions - if not builder.has_perm(self.current_user): + if not builder.has_perm(current_user): raise tornado.web.HTTPError(403) # Builders must be in maintenance mode @@ -211,8 +226,11 @@ class StartHandler(base.BaseHandler): if not builder: raise tornado.web.HTTPError(404, "Builder not found: %s" % name) + # Fetch the current user + current_user = await self.get_current_user() + # Check permissions - if not builder.has_perm(self.current_user): + if not builder.has_perm(current_user): raise tornado.web.HTTPError(403) # Builders must be in maintenance mode @@ -232,13 +250,16 @@ class StartHandler(base.BaseHandler): class StopHandler(base.BaseHandler): @base.authenticated - def get(self, name): + async def get(self, name): builder = self.backend.builders.get_by_name(name) if not builder: raise tornado.web.HTTPError(404, "Builder not found: %s" % name) + # Fetch the current user + current_user = await self.get_current_user() + # Check permissions - if not builder.has_perm(self.current_user): + if not builder.has_perm(current_user): raise tornado.web.HTTPError(403) # Builders must be in maintenance mode @@ -253,8 +274,11 @@ class StopHandler(base.BaseHandler): if not builder: raise tornado.web.HTTPError(404, "Builder not found: %s" % name) + # Fetch the current user + current_user = await self.get_current_user() + # Check permissions - if not builder.has_perm(self.current_user): + if not builder.has_perm(current_user): raise tornado.web.HTTPError(403) # Builders must be in maintenance mode -- 2.47.2