launchpad-reviewers team mailing list archive

[Andrey Fedoseev <mp+433538@xxxxxxxxxxxxxxxxxx>]

Diff comments:

> diff --git a/lib/lp/code/xmlrpc/git.py b/lib/lp/code/xmlrpc/git.py
> index 36a19eb..cbec524 100644
> --- a/lib/lp/code/xmlrpc/git.py
> +++ b/lib/lp/code/xmlrpc/git.py
> @@ -207,13 +289,21 @@ class GitAPI(LaunchpadXMLRPCView):
>              # macaroon that specifically grants access to this repository.
>              # This is only permitted for macaroons not bound to a user.
>              writable = _can_internal_issuer_write(verified)
> +        elif (
> +            isinstance(verified, AccessTokenVerificationResult)
> +            and not verified.can_push
> +        ):
> +            # The user authenticated with an access token without the

Is it possible for a user to bypass this check simply by not providing an access token?

> +            # "repository:push" scope, so pushing isn't allowed no matter
> +            # what permissions they might ordinarily have.
> +            writable = False
> +        elif repository.repository_type != GitRepositoryType.HOSTED:
> +            # Normal users can never push to non-hosted repositories.
> +            writable = False
>          else:
>              # This isn't an authorised internal service, so perform normal
>              # user authorisation.
> -            writable = (
> -                repository.repository_type == GitRepositoryType.HOSTED
> -                and check_permission("launchpad.Edit", repository)
> -            )
> +            writable = check_permission("launchpad.Edit", repository)
>              if not writable:
>                  grants = naked_repository.findRuleGrantsByGrantee(requester)
>                  if not grants.is_empty():


-- 
https://code.launchpad.net/~cjwatson/launchpad/+git/launchpad/+merge/433538
Your team Launchpad code reviewers is requested to review the proposed merge of ~cjwatson/launchpad:personal-access-token-git into launchpad:master.