git.ipfire.org Git - thirdparty/patchwork.git/commit

author	Stephen Finucane <stephen@that.guru>
	Sat, 21 Sep 2019 18:06:14 +0000 (19:06 +0100)
committer	Stephen Finucane <stephen@that.guru>
	Tue, 24 Sep 2019 08:58:53 +0000 (09:58 +0100)
commit	9d6c86ef720521605d7e8d9938c2795ad7b9e110
tree	12a563eb10b95099c8ef7abd3d39fe51d3633c74	tree \| snapshot
parent	a938f952023a7381816107392fcc10100f5b054c	commit \| diff

Fix issue with delegation of patch via REST API

There have been reports of people being unable to delegate patches to
themselves, despite being a maintainer or the project to which the patch
is associated.

The issue is a result of how we do a check for whether the user is a
maintainer of the patch's project [1]. This check is checking if a given
'User.id' is in the list of items referenced by
'Project.maintainer_project'. However, 'Project.maintainer_project' is a
backref to 'UserProfile.maintainer_projects'. This means we're comparing
'User.id' and 'UserProfile.id'. Boo.

This wasn't seen in testing since we've had a post-save callback [2] for some
time that ensures we always create a 'UserProfile' object whenever we create a
'User' object. This also means we won't have an issue on deployments initially
deployed after that post-save callback was added, a 'User' with id=N will
always have a corresponding 'UserProfile' with id=N. However, that's not true
for older deployments such as the ozlabs.org one.

[1] https://github.com/getpatchwork/patchwork/blob/89c924f9bc/patchwork/api/patch.py#L108-L111
[2] https://github.com/getpatchwork/patchwork/blob/89c924f9bc/patchwork/models.py#L204-L210

Signed-off-by: Stephen Finucane <stephen@that.guru>
Closes: #313
Reported-by: Bjorn Helgaas <helgaas@kernel.org>
(cherry picked from commit ab35df8c33a178b3b2349c1e4727393b94f5e916)

patchwork/api/patch.py		diff \| blob \| blame \| history
patchwork/tests/api/test_patch.py		diff \| blob \| blame \| history