~comcloudway/builds.sr.ht: Check username when showing job page

b7cf38ae98761ac1b7e03c81d90d7ff7c8e119b7 — Simon Ser 1 year, 3 months ago 0454453

Check username when showing job page

This is the first step towards preventing unlisted build jobs
enumeration.

patch browse .tar.gz

1 files changed, 5 insertions(+), 1 deletions(-)

M buildsrht/blueprints/jobs.py

M buildsrht/blueprints/jobs.py => buildsrht/blueprints/jobs.py +5 -1

@@ 422,12 422,16 @@ def logify(text, task, log_url):
 
 @jobs.route("/~<username>/job/<int:job_id>")
 def job_by_id(username, job_id):
-    # TODO: maybe we want per-user job IDs
+    user = User.query.filter(User.username == username).first()
+    if not user:
+        abort(404)
     job = Job.query.options(sa.orm.joinedload(Job.tasks)).get(job_id)
     if not job:
         abort(404)
     if not get_access(job):
         abort(404)
+    if job.owner_id != user.id:
+        abort(404)
     logs = list()
     build_user = cfg("git.sr.ht::dispatch", "/usr/bin/buildsrht-keys", "builds:builds").split(":")[0]
     final_status = [