external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: guard POST keywords & allow co-maintainers to see keyword form

Browse source 
This addresses a severe security issue, which is omitted from this
git message for obscurity purposes.

Otherwise, it allows co-maintainers to see the keyword form when
viewing a package they co-maintain.

Closes #378

Signed-off-by: Kevin Morris <kevr@0cost.org>
This commit is contained in:
Kevin Morris 2022-08-15 13:57:32 -07:00
parent 7b047578fd
commit 7a52da5587
No known key found for this signature in database
GPG key ID: F7E46DED420788F3
4 changed files with 28 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

4
templates/partials/packages/details.html
View file

@ -33,10 +33,10 @@
</td>
</tr>
{% endif %}
{% if pkgbase.keywords.count() or request.user.has_credential(creds.PKGBASE_SET_KEYWORDS, approved=[pkgbase.Maintainer]) %}
{% if pkgbase.keywords.count() or request.user.has_credential(creds.PKGBASE_SET_KEYWORDS, approved=[pkgbase.Maintainer] + comaintainers) %}
<tr>
<th>{{ "Keywords" | tr }}:</th>
{% if request.user.has_credential(creds.PKGBASE_SET_KEYWORDS, approved=[pkgbase.Maintainer]) %}
{% if request.user.has_credential(creds.PKGBASE_SET_KEYWORDS, approved=[pkgbase.Maintainer] + comaintainers) %}
<td>
<form method="post"
action="/pkgbase/{{ pkgbase.Name }}/keywords"