Restrict webhooks to trusted users

author rubenwardy <rw@rubenwardy.com>

Sat, 25 Jan 2020 00:04:56 +0000 (00:04 +0000)

committer rubenwardy <rw@rubenwardy.com>

Sat, 25 Jan 2020 00:04:56 +0000 (00:04 +0000)
author rubenwardy <rw@rubenwardy.com>
Sat, 25 Jan 2020 00:04:56 +0000 (00:04 +0000)
committer rubenwardy <rw@rubenwardy.com>
Sat, 25 Jan 2020 00:04:56 +0000 (00:04 +0000)
diff --git a/app/blueprints/github/__init__.py b/app/blueprints/github/__init__.py

index d05dffce3e30baca23b028e4e1cdaa7aedea7e11..e3ce8d7aa3a6c5c089695fd909f5a41379c28102 100644 (file)
--- a/app/blueprints/github/__init__.py
+++ b/app/blueprints/github/__init__.py
@@ -23,7 +23,7 @@ from flask_user import current_user, login_required
  from sqlalchemy import func
  from flask_github import GitHub
  from app import github, csrf
-from app.models import db, User, APIToken, Package
+from app.models import db, User, APIToken, Package, Permission
  from app.utils import loginUser, randomString
  from app.blueprints.api.support import error, handleCreateRelease
  import hmac, requests, json
@@ -114,6 +114,9 @@ def webhook():
         if actual_token is None:
                 return error(403, "Invalid authentication")
  
+       if not package.checkPerm(actual_token.owner, Permission.APPROVE_RELEASE):
+               return error(403, "Only trusted members can use webhooks")
+
         #
         # Check event
         #
@@ -163,6 +166,10 @@ def setup_webhook():
         if package is None:
                 abort(404)
  
+       if not package.checkPerm(current_user, Permission.APPROVE_RELEASE):
+               flash("Only trusted members can use webhooks", "danger")
+               return redirect(package.getDetailsURL())
+
         gh_user, gh_repo = package.getGitHubFullName()
         if gh_user is None or gh_repo is None:
                 flash("Unable to get Github full name from repo address", "danger")
@@ -207,15 +214,16 @@ def setup_webhook():
                         db.session.commit()
  
                         return redirect(package.getDetailsURL())
-               elif r.status_code == 403:
+               elif r.status_code == 401 or r.status_code == 403:
                         current_user.github_access_token = None
                         db.session.commit()
  
                         return github.authorize("write:repo_hook", \
                                 redirect_uri=url_for("github.callback_webhook", pid=pid, _external=True))
                 else:
-                       flash("Failed to create webhook, received response from Github: " +
-                               str(r.json().get("message") or r.status_code), "danger")
+                       flash("Failed to create webhook, received response from Github " +
+                               str(r.status_code) + ": " +
+                               str(r.json().get("message")), "danger")
  
         return render_template("github/setup_webhook.html", \
                 form=form, package=package)
diff --git a/app/templates/packages/view.html b/app/templates/packages/view.html

index e5ab1e4198072f6c27e6f66097b859dde0954f66..9dce0d44ccf51403c2b0ddca25eacb880ba083b0 100644 (file)
--- a/app/templates/packages/view.html
+++ b/app/templates/packages/view.html
@@ -364,7 +364,7 @@
                                 </ul>
                         </div>
  
-                       {% if package.getIsOnGitHub() %}
+                       {% if package.author == current_user and package.checkPerm(current_user, "APPROVE_RELEASE") and package.getIsOnGitHub() %}
                         <p class="small text-centered">
                                 <a href="{{ url_for('github.setup_webhook', pid=package.id) }}">
                                         Set up a webhook
author	rubenwardy <rw@rubenwardy.com>
	Sat, 25 Jan 2020 00:04:56 +0000 (00:04 +0000)
committer	rubenwardy <rw@rubenwardy.com>
	Sat, 25 Jan 2020 00:04:56 +0000 (00:04 +0000)
app/blueprints/github/__init__.py		patch \| blob \| history
app/templates/packages/view.html		patch \| blob \| history