From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 18 Oct 2022 16:55:45 +0000 (+0000)
Subject: hub: Check permissions for uploads before using them
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0656dfa4bb963d7f53bc97d9e7ff6c43a6baa655;p=pbs.git

hub: Check permissions for uploads before using them

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/buildservice/uploads.py b/src/buildservice/uploads.py
index b910d3a6..cc926cd4 100644
--- a/src/buildservice/uploads.py
+++ b/src/buildservice/uploads.py
@@ -172,6 +172,16 @@ class Upload(base.DataObject):
 
 	user = lazy_property(get_user, set_user)
 
+	def has_perm(self, who):
+		"""
+			Returns True if "who" has permissions to use this upload
+		"""
+		if self.builder == who or self.user == who:
+			return True
+
+		# No permission
+		return False
+
 	async def delete(self):
 		log.info("Deleting upload %s (%s)" % (self, self.path))
 
diff --git a/src/hub/builds.py b/src/hub/builds.py
index 4c95783b..bc41ae45 100644
--- a/src/hub/builds.py
+++ b/src/hub/builds.py
@@ -30,7 +30,9 @@ class CreateHandler(BaseHandler):
 		if not upload:
 			raise tornado.web.HTTPError(404, "Could not find upload")
 
-		# XXX check permissions of the upload
+		# Check permissions of the upload
+		if not upload.has_perm(self.current_user):
+			raise tornado.web.HTTPError(403, "No permission for using upload %s" % upload)
 
 		with self.db.transaction():
 			# Try opening the archive