external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: secure access to comment edits to user who owns the comment

Browse source 
Found along with the previous commit to be a security hole in our
implementation. This commit resolves an issue regarding comment editing.

Signed-off-by: Kevin Morris <kevr@0cost.org>
This commit is contained in:
Kevin Morris 2022-08-15 14:49:34 -07:00
parent 7a52da5587
commit 15d016eb70
No known key found for this signature in database
GPG key ID: F7E46DED420788F3
2 changed files with 18 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
aurweb/routers/pkgbase.py
View file

@ -286,6 +286,8 @@ async def pkgbase_comment_post(
if not comment:
raise HTTPException(status_code=HTTPStatus.BAD_REQUEST)
elif request.user.ID != db_comment.UsersID:
raise HTTPException(status_code=HTTPStatus.UNAUTHORIZED)
# If the provided comment is different than the record's version,
# update the db record.