repos / git-pr

a self-hosted git collaboration server
git clone https://github.com/picosh/git-pr.git
commit
8c20044
parent
02ac4fd
author
Eric Bower
date
2024-07-19 12:20:18 -0400 EDT
fix(cli): access control for removing patchsets

I also fixed some other access control issues for changing PR status.
2 files changed,  +41, -6
M cli.go
M pr.go
M cli.go
+30, -6 
 1@@ -213,7 +213,30 @@ Here's how it works:
 2 							if err != nil {
 3 								return err
 4 							}
 5-							return pr.DeletePatchsetByID(patchsetID)
 6+
 7+							patchset, err := pr.GetPatchsetByID(patchsetID)
 8+							if err != nil {
 9+								return err
10+							}
11+
12+							user, err := pr.GetUserByID(patchset.UserID)
13+							if err != nil {
14+								return err
15+							}
16+
17+							pk := sesh.PublicKey()
18+							isAdmin := be.IsAdmin(pk)
19+							isContrib := pubkey == user.Pubkey
20+							if !isAdmin && !isContrib {
21+								return fmt.Errorf("you are not authorized to delete a patchset")
22+							}
23+
24+							err = pr.DeletePatchsetByID(patchsetID)
25+							if err != nil {
26+								return err
27+							}
28+							wish.Printf(sesh, "successfully removed patchset: %d\n", patchsetID)
29+							return nil
30 						},
31 					},
32 				},
33@@ -597,17 +620,18 @@ Here's how it works:
34 								return err
35 							}
36 
37-							user, err := pr.UpsertUser(pubkey, userName)
38+							patchReq, err := pr.GetPatchRequestByID(prID)
39 							if err != nil {
40 								return err
41 							}
42 
43-							patchReq, err := pr.GetPatchRequestByID(prID)
44+							user, err := pr.GetUserByID(patchReq.UserID)
45 							if err != nil {
46 								return err
47 							}
48+
49 							pk := sesh.PublicKey()
50-							isContrib := be.Pubkey(pk) == user.Pubkey
51+							isContrib := pubkey == user.Pubkey
52 							isAdmin := be.IsAdmin(pk)
53 							if !isAdmin && !isContrib {
54 								return fmt.Errorf("you are not authorized to change PR status")
55@@ -645,13 +669,13 @@ Here's how it works:
56 								return err
57 							}
58 
59-							user, err := pr.UpsertUser(pubkey, userName)
60+							user, err := pr.GetUserByID(patchReq.UserID)
61 							if err != nil {
62 								return err
63 							}
64 
65 							pk := sesh.PublicKey()
66-							isContrib := be.Pubkey(pk) == user.Pubkey
67+							isContrib := pubkey == user.Pubkey
68 							isAdmin := be.IsAdmin(pk)
69 							if !isAdmin && !isContrib {
70 								return fmt.Errorf("you are not authorized to change PR status")
M pr.go
+11, -0 
 1@@ -34,6 +34,7 @@ type GitPatchRequest interface {
 2 	GetPatchRequests() ([]*PatchRequest, error)
 3 	GetPatchRequestsByRepoID(repoID string) ([]*PatchRequest, error)
 4 	GetPatchsetsByPrID(prID int64) ([]*Patchset, error)
 5+	GetPatchsetByID(patchsetID int64) (*Patchset, error)
 6 	GetLatestPatchsetByPrID(prID int64) (*Patchset, error)
 7 	GetPatchesByPatchsetID(prID int64) ([]*Patch, error)
 8 	UpdatePatchRequestStatus(prID, userID int64, status string) error
 9@@ -234,6 +235,16 @@ func (pr PrCmd) GetPatchsetsByPrID(prID int64) ([]*Patchset, error) {
10 	return patchsets, nil
11 }
12 
13+func (pr PrCmd) GetPatchsetByID(patchsetID int64) (*Patchset, error) {
14+	var patchset Patchset
15+	err := pr.Backend.DB.Get(
16+		&patchset,
17+		"SELECT * FROM patchsets WHERE id=?",
18+		patchsetID,
19+	)
20+	return &patchset, err
21+}
22+
23 func (pr PrCmd) GetLatestPatchsetByPrID(prID int64) (*Patchset, error) {
24 	patchsets, err := pr.GetPatchsetsByPrID(prID)
25 	if err != nil {