From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 22 Jan 2025 13:57:22 +0000 (+0000)
Subject: builds: Fix accessing uploads
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=39e967b2d4f17dc315f8a3b08c15bae0ac7c7c71;p=pbs.git

builds: Fix accessing uploads

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/web/base.py b/src/web/base.py
index d878f716..e1d4b3c0 100644
--- a/src/web/base.py
+++ b/src/web/base.py
@@ -594,23 +594,27 @@ class BaseHandler(tornado.web.RequestHandler):
 
 	# Uploads
 
-	def _get_upload(self, uuid):
-		upload = self.backend.uploads.get_by_uuid(uuid)
+	async def _get_upload(self, uuid):
+		# Fetch the current user
+		current_user = await self.get_current_user()
+
+		# Fetch the upload
+		upload = await self.backend.uploads.get_by_uuid(uuid)
 
 		# Check permissions
-		if upload and not upload.has_perm(self.current_user):
-			raise tornado.web.HTTPError(403, "%s has no permissions for upload %s" % (self.current_user, upload))
+		if upload and not upload.has_perm(current_user):
+			raise tornado.web.HTTPError(403, "%s has no permissions for upload %s" % (current_user, upload))
 
 		return upload
 
-	def get_argument_upload(self, *args, **kwargs):
+	async def get_argument_upload(self, *args, **kwargs):
 		"""
 			Returns an upload
 		"""
 		uuid = self.get_argument(*args, **kwargs)
 
 		if uuid:
-			return self._get_upload(uuid)
+			return await self._get_upload(uuid)
 
 	def get_argument_uploads(self, *args, **kwargs):
 		"""
diff --git a/src/web/builds.py b/src/web/builds.py
index cc306aa2..baf95bfa 100644
--- a/src/web/builds.py
+++ b/src/web/builds.py
@@ -15,13 +15,16 @@ class APIv1IndexHandler(base.APIMixin, base.BaseHandler):
 
 	@base.negotiate
 	async def post(self):
+		# Fetch the current user
+		current_user = await self.get_current_user()
+
 		# Fetch the upload
-		upload = self.get_argument_upload("upload")
+		upload = await self.get_argument_upload("upload")
 		if not upload:
 			raise tornado.web.HTTPError(404, "Could not find upload")
 
 		# Check permissions of the upload
-		if not upload.has_perm(self.current_user):
+		if not upload.has_perm(current_user):
 			raise base.APIError(errno.ENOPERM, "No permission for using upload %s" % upload)
 
 		# Fetch the repository
@@ -52,7 +55,7 @@ class APIv1IndexHandler(base.APIMixin, base.BaseHandler):
 
 			# If anything goes wrong, we will try to delete the package again
 			except Exception as e:
-				await package.delete(user=self.current_user)
+				await package.delete(current_user)
 
 				raise e