diff options
| author | rubenwardy <rw@rubenwardy.com> | 2020-01-25 00:04:56 +0000 |
|---|---|---|
| committer | rubenwardy <rw@rubenwardy.com> | 2020-01-25 00:04:56 +0000 |
| commit | 493917d8b14fac50ca2ad8f6c8ffff0c0403a5e1 (patch) | |
| tree | 4d22f8e046a371d73ed1e6cfcf45706a89ceb36e | |
| parent | e12aec4ccdef7752fb87bd857a48eb4587016573 (diff) | |
| download | cheatdb-493917d8b14fac50ca2ad8f6c8ffff0c0403a5e1.tar.xz | |
Restrict webhooks to trusted users
| -rw-r--r-- | app/blueprints/github/__init__.py | 16 | ||||
| -rw-r--r-- | app/templates/packages/view.html | 2 |
2 files changed, 13 insertions, 5 deletions
diff --git a/app/blueprints/github/__init__.py b/app/blueprints/github/__init__.py index d05dffc..e3ce8d7 100644 --- a/app/blueprints/github/__init__.py +++ b/app/blueprints/github/__init__.py @@ -23,7 +23,7 @@ from flask_user import current_user, login_required from sqlalchemy import func from flask_github import GitHub from app import github, csrf -from app.models import db, User, APIToken, Package +from app.models import db, User, APIToken, Package, Permission from app.utils import loginUser, randomString from app.blueprints.api.support import error, handleCreateRelease import hmac, requests, json @@ -114,6 +114,9 @@ def webhook(): if actual_token is None: return error(403, "Invalid authentication") + if not package.checkPerm(actual_token.owner, Permission.APPROVE_RELEASE): + return error(403, "Only trusted members can use webhooks") + # # Check event # @@ -163,6 +166,10 @@ def setup_webhook(): if package is None: abort(404) + if not package.checkPerm(current_user, Permission.APPROVE_RELEASE): + flash("Only trusted members can use webhooks", "danger") + return redirect(package.getDetailsURL()) + gh_user, gh_repo = package.getGitHubFullName() if gh_user is None or gh_repo is None: flash("Unable to get Github full name from repo address", "danger") @@ -207,15 +214,16 @@ def setup_webhook(): db.session.commit() return redirect(package.getDetailsURL()) - elif r.status_code == 403: + elif r.status_code == 401 or r.status_code == 403: current_user.github_access_token = None db.session.commit() return github.authorize("write:repo_hook", \ redirect_uri=url_for("github.callback_webhook", pid=pid, _external=True)) else: - flash("Failed to create webhook, received response from Github: " + - str(r.json().get("message") or r.status_code), "danger") + flash("Failed to create webhook, received response from Github " + + str(r.status_code) + ": " + + str(r.json().get("message")), "danger") return render_template("github/setup_webhook.html", \ form=form, package=package) diff --git a/app/templates/packages/view.html b/app/templates/packages/view.html index e5ab1e4..9dce0d4 100644 --- a/app/templates/packages/view.html +++ b/app/templates/packages/view.html @@ -364,7 +364,7 @@ </ul> </div> - {% if package.getIsOnGitHub() %} + {% if package.author == current_user and package.checkPerm(current_user, "APPROVE_RELEASE") and package.getIsOnGitHub() %} <p class="small text-centered"> <a href="{{ url_for('github.setup_webhook', pid=package.id) }}"> Set up a webhook |