Restrict webhooks to trusted users
This commit is contained in:
rubenwardy
parent
e12aec4ccd
commit
493917d8b1
|
|
@ -23,7 +23,7 @@ from flask_user import current_user, login_required
|
||||||
from sqlalchemy import func
|
from sqlalchemy import func
|
||||||
from flask_github import GitHub
|
from flask_github import GitHub
|
||||||
from app import github, csrf
|
from app import github, csrf
|
||||||
from app.models import db, User, APIToken, Package
|
from app.models import db, User, APIToken, Package, Permission
|
||||||
from app.utils import loginUser, randomString
|
from app.utils import loginUser, randomString
|
||||||
from app.blueprints.api.support import error, handleCreateRelease
|
from app.blueprints.api.support import error, handleCreateRelease
|
||||||
import hmac, requests, json
|
import hmac, requests, json
|
||||||
|
|
@ -114,6 +114,9 @@ def webhook():
|
||||||
if actual_token is None:
|
if actual_token is None:
|
||||||
return error(403, "Invalid authentication")
|
return error(403, "Invalid authentication")
|
||||||
|
|
||||||
|
if not package.checkPerm(actual_token.owner, Permission.APPROVE_RELEASE):
|
||||||
|
return error(403, "Only trusted members can use webhooks")
|
||||||
|
|
||||||
#
|
#
|
||||||
# Check event
|
# Check event
|
||||||
#
|
#
|
||||||
|
|
@ -163,6 +166,10 @@ def setup_webhook():
|
||||||
if package is None:
|
if package is None:
|
||||||
abort(404)
|
abort(404)
|
||||||
|
|
||||||
|
if not package.checkPerm(current_user, Permission.APPROVE_RELEASE):
|
||||||
|
flash("Only trusted members can use webhooks", "danger")
|
||||||
|
return redirect(package.getDetailsURL())
|
||||||
|
|
||||||
gh_user, gh_repo = package.getGitHubFullName()
|
gh_user, gh_repo = package.getGitHubFullName()
|
||||||
if gh_user is None or gh_repo is None:
|
if gh_user is None or gh_repo is None:
|
||||||
flash("Unable to get Github full name from repo address", "danger")
|
flash("Unable to get Github full name from repo address", "danger")
|
||||||
|
|
@ -207,15 +214,16 @@ def setup_webhook():
|
||||||
db.session.commit()
|
db.session.commit()
|
||||||
|
|
||||||
return redirect(package.getDetailsURL())
|
return redirect(package.getDetailsURL())
|
||||||
elif r.status_code == 403:
|
elif r.status_code == 401 or r.status_code == 403:
|
||||||
current_user.github_access_token = None
|
current_user.github_access_token = None
|
||||||
db.session.commit()
|
db.session.commit()
|
||||||
|
|
||||||
return github.authorize("write:repo_hook", \
|
return github.authorize("write:repo_hook", \
|
||||||
redirect_uri=url_for("github.callback_webhook", pid=pid, _external=True))
|
redirect_uri=url_for("github.callback_webhook", pid=pid, _external=True))
|
||||||
else:
|
else:
|
||||||
flash("Failed to create webhook, received response from Github: " +
|
flash("Failed to create webhook, received response from Github " +
|
||||||
str(r.json().get("message") or r.status_code), "danger")
|
str(r.status_code) + ": " +
|
||||||
|
str(r.json().get("message")), "danger")
|
||||||
|
|
||||||
return render_template("github/setup_webhook.html", \
|
return render_template("github/setup_webhook.html", \
|
||||||
form=form, package=package)
|
form=form, package=package)
|
||||||
|
|
|
||||||
|
|
@ -364,7 +364,7 @@
|
||||||
</ul>
|
</ul>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
{% if package.getIsOnGitHub() %}
|
{% if package.author == current_user and package.checkPerm(current_user, "APPROVE_RELEASE") and package.getIsOnGitHub() %}
|
||||||
<p class="small text-centered">
|
<p class="small text-centered">
|
||||||
<a href="{{ url_for('github.setup_webhook', pid=package.id) }}">
|
<a href="{{ url_for('github.setup_webhook', pid=package.id) }}">
|
||||||
Set up a webhook
|
Set up a webhook
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue