From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 23 May 2023 13:16:43 +0000 (+0000)
Subject: monitorings: Add permission check
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0da03d48f19a46e9b863ce5faee548af99f088a0;p=pbs.git

monitorings: Add permission check

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/buildservice/releasemonitoring.py b/src/buildservice/releasemonitoring.py
index 1144434a..84a5bc1b 100644
--- a/src/buildservice/releasemonitoring.py
+++ b/src/buildservice/releasemonitoring.py
@@ -252,6 +252,16 @@ class Monitoring(base.DataObject):
 	def create_builds(self):
 		return self.data.create_builds
 
+	# Permissions
+
+	def has_perm(self, user=None):
+		# Anonymous users can't perform any actions
+		if user is None:
+			return False
+
+		# Users must be admins
+		return user.is_admin()
+
 	# Check
 
 	async def check(self):
diff --git a/src/templates/monitorings/show.html b/src/templates/monitorings/show.html
index 50449c27..ffc292d0 100644
--- a/src/templates/monitorings/show.html
+++ b/src/templates/monitorings/show.html
@@ -64,7 +64,7 @@
 		</div>
 	</section>
 
-	{% if current_user and current_user.is_admin() %}
+	{% if monitoring.has_perm(current_user) %}
 		<section class="section">
 			<div class="container">
 				<div class="buttons">
diff --git a/src/web/monitorings.py b/src/web/monitorings.py
index 570192de..c7b3ac5c 100644
--- a/src/web/monitorings.py
+++ b/src/web/monitorings.py
@@ -39,6 +39,7 @@ class ShowHandler(base.BaseHandler):
 
 
 class CheckHandler(base.BaseHandler):
+	@tornado.web.authenticated
 	async def post(self, slug, name):
 		# Fetch the distribution
 		distro = self.backend.distros.get_by_slug(slug)
@@ -50,6 +51,10 @@ class CheckHandler(base.BaseHandler):
 		if not monitoring:
 			raise tornado.web.HTTPError(404, "Could not find monitoring for %s in %s" % (name, distro))
 
+		# Check permissions
+		if not monitoring.has_perm(self.current_user):
+			raise tornado.web.HTTPError(403)
+
 		# Perform check
 		with self.db.transaction():
 			await monitoring.check()