From 4d5a076cd5974ea4354b0c6ba24b0eb3095b2cb5 Mon Sep 17 00:00:00 2001
From: Conrad Hoffmann <ch@bitfehler.net>
Date: Wed, 22 Nov 2023 16:30:10 +0100
Subject: [PATCH] legacy api: check private job ownership everywhere

---
 buildsrht/blueprints/api.py | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/buildsrht/blueprints/api.py b/buildsrht/blueprints/api.py
index 5a23235..e0ad7d0 100644
--- a/buildsrht/blueprints/api.py
+++ b/buildsrht/blueprints/api.py
@@ -8,7 +8,7 @@ from srht.validation import Validation
 from srht.oauth import oauth, current_token
 from buildsrht.runner import requires_payment
 from buildsrht.types import Artifact, Job, JobStatus, Task, JobGroup
-from buildsrht.types import Trigger, TriggerType, TriggerCondition
+from buildsrht.types import Visibility, Trigger, TriggerType, TriggerCondition
 from buildsrht.manifest import Manifest
 import sqlalchemy as sa
 import json
@@ -109,7 +109,8 @@ def jobs_by_id_GET(job_id):
     job = Job.query.filter(Job.id == job_id).options(sa.orm.joinedload(Job.tasks)).first()
     if not job:
         abort(404)
-    # TODO: ACLs
+    if job.visibility == Visibility.PRIVATE and job.owner_id != current_token.user_id:
+        abort(404) # TODO: ACLs
     return job.to_dict()
 
 @api.route("/api/jobs/<int:job_id>/artifacts")
@@ -118,15 +119,18 @@ def artifacts_by_job_id_GET(job_id):
     job = Job.query.filter(Job.id == job_id).first()
     if not job:
         abort(404)
+    if job.visibility == Visibility.PRIVATE and job.owner_id != current_token.user_id:
+        abort(404) # TODO: ACLs
     artifacts = Artifact.query.filter(Artifact.job_id == job.id)
     return paginated_response(Artifact.id, artifacts)
 
 @api.route("/api/jobs/<int:job_id>/manifest")
 def jobs_by_id_manifest_GET(job_id):
-    # TODO: ACLs
     job = Job.query.filter(Job.id == job_id).first()
     if not job:
         abort(404)
+    if job.visibility == Visibility.PRIVATE and job.owner_id != current_token.user_id:
+        abort(404) # TODO: ACLs
     return Response(job.manifest, content_type="text/plain")
 
 @api.route("/api/jobs/<int:job_id>/start", methods=["POST"])
@@ -135,8 +139,7 @@ def jobs_by_id_start_POST(job_id):
     job = Job.query.filter(Job.id == job_id).first()
     if not job:
         abort(404)
-    if job.owner_id != current_token.user_id:
-        abort(401) # TODO: ACLs
+    # ACLs checked in GraphQL
     if job.status != JobStatus.pending:
         reason_map = {
             JobStatus.queued: "queued",
@@ -163,7 +166,7 @@ def jobs_by_id_cancel_POST(job_id):
     if not job:
         abort(404)
     if job.owner_id != current_token.user_id:
-        abort(401)
+        abort(404)
     requests.post(f"http://{job.runner}/job/{job.id}/cancel")
     return { }
 
-- 
2.38.5