Restrict webhooks to trusted users

2020-01-25 00:04:56 +00:00 · 2020-01-25 00:04:56 +00:00 · 493917d8b1
parent e12aec4ccd
commit 493917d8b1
2 changed files with 13 additions and 5 deletions
--- a/app/blueprints/github/init.py
+++ b/app/blueprints/github/init.py
@ -23,7 +23,7 @@ from flask_user import current_user, login_required
 from sqlalchemy import func
 from flask_github import GitHub
 from app import github, csrf
-from app.models import db, User, APIToken, Package
+from app.models import db, User, APIToken, Package, Permission
 from app.utils import loginUser, randomString
 from app.blueprints.api.support import error, handleCreateRelease
 import hmac, requests, json
@ -114,6 +114,9 @@ def webhook():
 	if actual_token is None:
 		return error(403, "Invalid authentication")

+	if not package.checkPerm(actual_token.owner, Permission.APPROVE_RELEASE):
+		return error(403, "Only trusted members can use webhooks")
+
 	#
 	# Check event
 	#
@ -163,6 +166,10 @@ def setup_webhook():
 	if package is None:
 		abort(404)

+	if not package.checkPerm(current_user, Permission.APPROVE_RELEASE):
+		flash("Only trusted members can use webhooks", "danger")
+		return redirect(package.getDetailsURL())
+
 	gh_user, gh_repo = package.getGitHubFullName()
 	if gh_user is None or gh_repo is None:
 		flash("Unable to get Github full name from repo address", "danger")
@ -207,15 +214,16 @@ def setup_webhook():
 			db.session.commit()

 			return redirect(package.getDetailsURL())
-		elif r.status_code == 403:
+		elif r.status_code == 401 or r.status_code == 403:
 			current_user.github_access_token = None
 			db.session.commit()

 			return github.authorize("write:repo_hook", \
 				redirect_uri=url_for("github.callback_webhook", pid=pid, _external=True))
 		else:
-			flash("Failed to create webhook, received response from Github: " +
-				str(r.json().get("message") or r.status_code), "danger")
+			flash("Failed to create webhook, received response from Github " +
+				str(r.status_code) + ": " +
+				str(r.json().get("message")), "danger")

 	return render_template("github/setup_webhook.html", \
 		form=form, package=package)
--- a/app/templates/packages/view.html
+++ b/app/templates/packages/view.html
@ -364,7 +364,7 @@
 				</ul>
 			</div>

-			{% if package.getIsOnGitHub() %}
+			{% if package.author == current_user and package.checkPerm(current_user, "APPROVE_RELEASE") and package.getIsOnGitHub() %}
 			<p class="small text-centered">
 				<a href="{{ url_for('github.setup_webhook', pid=package.id) }}">
 					Set up a webhook