fix: guard POST keywords & allow co-maintainers to see keyword form

This addresses a severe security issue, which is omitted from this git message for obscurity purposes. Otherwise, it allows co-maintainers to see the keyword form when viewing a package they co-maintain. Closes #378 Signed-off-by: Kevin Morris <kevr@0cost.org>
2025-02-03 10:43:03 +01:00 · 2022-08-15 13:57:32 -07:00 · 2022-08-15 13:57:32 -07:00 · 7a52da5587
commit 7a52da5587
parent 7b047578fd
4 changed files with 28 additions and 5 deletions
--- a/test/test_pkgbase_routes.py
+++ b/test/test_pkgbase_routes.py
@ -1378,7 +1378,8 @@ def test_pkgbase_keywords(client: TestClient, user: User, package: Package):
    keywords = root.xpath('//a[@class="keyword"]')
    assert len(keywords) == 0

-    cookies = {"AURSID": user.login(Request(), "testPassword")}
+    maint = package.PackageBase.Maintainer
+    cookies = {"AURSID": maint.login(Request(), "testPassword")}
    post_endpoint = f"{endpoint}/keywords"
    with client as request:
        resp = request.post(post_endpoint, data={
@ -1408,7 +1409,8 @@ def test_pkgbase_empty_keywords(client: TestClient, user: User, package: Package
    keywords = root.xpath('//a[@class="keyword"]')
    assert len(keywords) == 0

-    cookies = {"AURSID": user.login(Request(), "testPassword")}
+    maint = package.PackageBase.Maintainer
+    cookies = {"AURSID": maint.login(Request(), "testPassword")}
    post_endpoint = f"{endpoint}/keywords"
    with client as request:
        resp = request.post(post_endpoint, data={
@ -1426,3 +1428,16 @@ def test_pkgbase_empty_keywords(client: TestClient, user: User, package: Package
    expected = ["abc", "bar", "foo", "test"]
    for i, keyword in enumerate(keywords):
        assert keyword.text.strip() == expected[i]
+
+
+def test_unauthorized_pkgbase_keywords(client: TestClient, package: Package):
+    with db.begin():
+        user = db.create(User, Username="random_user", Email="random_user",
+                         Passwd="testPassword")
+
+    cookies = {"AURSID": user.login(Request(), "testPassword")}
+    with client as request:
+        pkgbase = package.PackageBase
+        endp = f"/pkgbase/{pkgbase.Name}/keywords"
+        response = request.post(endp, cookies=cookies)
+    assert response.status_code == HTTPStatus.UNAUTHORIZED
--- a/test/test_templates.py
+++ b/test/test_templates.py
@ -282,7 +282,8 @@ def test_package_details(user: User, package: Package):
        "git_clone_uri_anon": GIT_CLONE_URI_ANON,
        "git_clone_uri_priv": GIT_CLONE_URI_PRIV,
        "pkgbase": package.PackageBase,
-        "pkg": package
+        "pkg": package,
+        "comaintainers": [],
    })

    base = base_template("partials/packages/details.html")
@ -316,6 +317,7 @@ def test_package_details_filled(user: User, package: Package):
        "git_clone_uri_priv": GIT_CLONE_URI_PRIV,
        "pkgbase": package.PackageBase,
        "pkg": package,
+        "comaintainers": [],
        "licenses": package.package_licenses,
        "provides": package.package_relations.filter(
            PackageRelation.RelTypeID == PROVIDES_ID),