From b7cf38ae98761ac1b7e03c81d90d7ff7c8e119b7 Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Thu, 6 Jul 2023 16:44:18 +0000
Subject: [PATCH] Check username when showing job page

This is the first step towards preventing unlisted build jobs
enumeration.
---
 buildsrht/blueprints/jobs.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/buildsrht/blueprints/jobs.py b/buildsrht/blueprints/jobs.py
index d37c1a5..8550bea 100644
--- a/buildsrht/blueprints/jobs.py
+++ b/buildsrht/blueprints/jobs.py
@@ -422,12 +422,16 @@ def logify(text, task, log_url):
 
 @jobs.route("/~<username>/job/<int:job_id>")
 def job_by_id(username, job_id):
-    # TODO: maybe we want per-user job IDs
+    user = User.query.filter(User.username == username).first()
+    if not user:
+        abort(404)
     job = Job.query.options(sa.orm.joinedload(Job.tasks)).get(job_id)
     if not job:
         abort(404)
     if not get_access(job):
         abort(404)
+    if job.owner_id != user.id:
+        abort(404)
     logs = list()
     build_user = cfg("git.sr.ht::dispatch", "/usr/bin/buildsrht-keys", "builds:builds").split(":")[0]
     final_status = [
-- 
2.38.5