From 4d5a076cd5974ea4354b0c6ba24b0eb3095b2cb5 Mon Sep 17 00:00:00 2001 From: Conrad Hoffmann Date: Wed, 22 Nov 2023 16:30:10 +0100 Subject: [PATCH] legacy api: check private job ownership everywhere --- buildsrht/blueprints/api.py | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/buildsrht/blueprints/api.py b/buildsrht/blueprints/api.py index 5a23235..e0ad7d0 100644 --- a/buildsrht/blueprints/api.py +++ b/buildsrht/blueprints/api.py @@ -8,7 +8,7 @@ from srht.validation import Validation from srht.oauth import oauth, current_token from buildsrht.runner import requires_payment from buildsrht.types import Artifact, Job, JobStatus, Task, JobGroup -from buildsrht.types import Trigger, TriggerType, TriggerCondition +from buildsrht.types import Visibility, Trigger, TriggerType, TriggerCondition from buildsrht.manifest import Manifest import sqlalchemy as sa import json @@ -109,7 +109,8 @@ def jobs_by_id_GET(job_id): job = Job.query.filter(Job.id == job_id).options(sa.orm.joinedload(Job.tasks)).first() if not job: abort(404) - # TODO: ACLs + if job.visibility == Visibility.PRIVATE and job.owner_id != current_token.user_id: + abort(404) # TODO: ACLs return job.to_dict() @api.route("/api/jobs//artifacts") @@ -118,15 +119,18 @@ def artifacts_by_job_id_GET(job_id): job = Job.query.filter(Job.id == job_id).first() if not job: abort(404) + if job.visibility == Visibility.PRIVATE and job.owner_id != current_token.user_id: + abort(404) # TODO: ACLs artifacts = Artifact.query.filter(Artifact.job_id == job.id) return paginated_response(Artifact.id, artifacts) @api.route("/api/jobs//manifest") def jobs_by_id_manifest_GET(job_id): - # TODO: ACLs job = Job.query.filter(Job.id == job_id).first() if not job: abort(404) + if job.visibility == Visibility.PRIVATE and job.owner_id != current_token.user_id: + abort(404) # TODO: ACLs return Response(job.manifest, content_type="text/plain") @api.route("/api/jobs//start", methods=["POST"]) @@ -135,8 +139,7 @@ def jobs_by_id_start_POST(job_id): job = Job.query.filter(Job.id == job_id).first() if not job: abort(404) - if job.owner_id != current_token.user_id: - abort(401) # TODO: ACLs + # ACLs checked in GraphQL if job.status != JobStatus.pending: reason_map = { JobStatus.queued: "queued", @@ -163,7 +166,7 @@ def jobs_by_id_cancel_POST(job_id): if not job: abort(404) if job.owner_id != current_token.user_id: - abort(401) + abort(404) requests.post(f"http://{job.runner}/job/{job.id}/cancel") return { } -- 2.38.5