From 0aa48917a896c3792a098007048f94b689eeec96 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Jul 18 2018 13:21:07 +0000 Subject: Make the settings of a project private Fixes CVE: CVE-2018-1002156 Fixes https://pagure.io/pagure/issue/3411 Signed-off-by: Pierre-Yves Chibon --- diff --git a/pagure/api/user.py b/pagure/api/user.py index e8345bb..9ab7df5 100644 --- a/pagure/api/user.py +++ b/pagure/api/user.py @@ -58,18 +58,6 @@ def api_view_user(username): "custom_keys": [], "description": "", "parent": null, - "settings": { - "issues_default_to_private": false, - "Minimum_score_to_merge_pull-request": -1, - "Web-hooks": None, - "fedmsg_notifications": true, - "always_merge": false, - "project_documentation": true, - "Enforce_signed-off_commits_in_pull-request": false, - "pull_requests": true, - "Only_assignee_can_merge_pull-request": false, - "issue_tracker": true - }, "tags": [], "namespace": None, "priorities": {}, diff --git a/pagure/lib/model.py b/pagure/lib/model.py index 8da2fc8..7b2874d 100644 --- a/pagure/lib/model.py +++ b/pagure/lib/model.py @@ -899,7 +899,7 @@ class Project(BASE): 'close_status': self.close_status, 'milestones': self.milestones, } - if not api: + if not api and not public: output['settings'] = self.settings return output diff --git a/tests/test_pagure_flask_api_group.py b/tests/test_pagure_flask_api_group.py index 5a87a2e..7834cf3 100644 --- a/tests/test_pagure_flask_api_group.py +++ b/tests/test_pagure_flask_api_group.py @@ -311,23 +311,6 @@ class PagureFlaskApiGroupTests(tests.SimplePagureTest): "namespace": None, "parent": None, "priorities": {}, - "settings": { - "Enforce_signed-off_commits_in_pull-request": False, - "Minimum_score_to_merge_pull-request": -1, - "Only_assignee_can_merge_pull-request": False, - "Web-hooks": None, - "always_merge": False, - "fedmsg_notifications": True, - "issue_tracker": True, - "issues_default_to_private": False, - "notify_on_commit_flag": False, - "notify_on_pull-request_flag": False, - "project_documentation": False, - "pull_request_access_only": False, - "pull_requests": True, - "roadmap_on_issues_page": False, - "stomp_notifications": True, - }, "tags": [], "url_path": "test2", "user": { @@ -405,23 +388,6 @@ class PagureFlaskApiGroupTests(tests.SimplePagureTest): "namespace": None, "parent": None, "priorities": {}, - "settings": { - "Enforce_signed-off_commits_in_pull-request": False, - "Minimum_score_to_merge_pull-request": -1, - "Only_assignee_can_merge_pull-request": False, - "Web-hooks": None, - "always_merge": False, - "fedmsg_notifications": True, - "issue_tracker": True, - "issues_default_to_private": False, - "notify_on_commit_flag": False, - "notify_on_pull-request_flag": False, - "project_documentation": False, - "pull_request_access_only": False, - "pull_requests": True, - "roadmap_on_issues_page": False, - "stomp_notifications": True, - }, "tags": [], "url_path": "test2", "user": { @@ -495,23 +461,6 @@ class PagureFlaskApiGroupTests(tests.SimplePagureTest): "namespace": None, "parent": None, "priorities": {}, - "settings": { - "Enforce_signed-off_commits_in_pull-request": False, - "Minimum_score_to_merge_pull-request": -1, - "Only_assignee_can_merge_pull-request": False, - "Web-hooks": None, - "always_merge": False, - "fedmsg_notifications": True, - "issue_tracker": True, - "issues_default_to_private": False, - "notify_on_commit_flag": False, - "notify_on_pull-request_flag": False, - "project_documentation": False, - "pull_request_access_only": False, - "pull_requests": True, - "roadmap_on_issues_page": False, - "stomp_notifications": True, - }, "tags": [], "url_path": "test2", "user": { diff --git a/tests/test_pagure_flask_api_user.py b/tests/test_pagure_flask_api_user.py index d7b99fd..d8f8a17 100644 --- a/tests/test_pagure_flask_api_user.py +++ b/tests/test_pagure_flask_api_user.py @@ -122,23 +122,6 @@ class PagureFlaskApiUSertests(tests.Modeltests): "namespace": None, "parent": None, "priorities": {}, - "settings": { - "Enforce_signed-off_commits_in_pull-request": False, - "Minimum_score_to_merge_pull-request": -1, - "Only_assignee_can_merge_pull-request": False, - "Web-hooks": None, - "always_merge": False, - "fedmsg_notifications": True, - "issue_tracker": True, - "issues_default_to_private": False, - "notify_on_commit_flag": False, - "notify_on_pull-request_flag": False, - "pull_request_access_only": False, - "project_documentation": False, - "pull_requests": True, - "roadmap_on_issues_page": False, - "stomp_notifications": True, - }, "tags": [], "user": { "fullname": "PY C", @@ -175,23 +158,6 @@ class PagureFlaskApiUSertests(tests.Modeltests): "namespace": None, "parent": None, "priorities": {}, - "settings": { - "Enforce_signed-off_commits_in_pull-request": False, - "Minimum_score_to_merge_pull-request": -1, - "Only_assignee_can_merge_pull-request": False, - "Web-hooks": None, - "always_merge": False, - "fedmsg_notifications": True, - "issue_tracker": True, - "issues_default_to_private": False, - "notify_on_commit_flag": False, - "notify_on_pull-request_flag": False, - "pull_request_access_only": False, - "project_documentation": False, - "pull_requests": True, - "roadmap_on_issues_page": False, - "stomp_notifications": True, - }, "tags": [], "user": { "fullname": "PY C", @@ -227,23 +193,6 @@ class PagureFlaskApiUSertests(tests.Modeltests): "namespace": "somenamespace", "parent": None, "priorities": {}, - "settings": { - "Enforce_signed-off_commits_in_pull-request": False, - "Minimum_score_to_merge_pull-request": -1, - "Only_assignee_can_merge_pull-request": False, - "Web-hooks": None, - "always_merge": False, - "fedmsg_notifications": True, - "issue_tracker": True, - "issues_default_to_private": False, - "notify_on_commit_flag": False, - "notify_on_pull-request_flag": False, - "project_documentation": False, - "pull_request_access_only": False, - "pull_requests": True, - "roadmap_on_issues_page": False, - "stomp_notifications": True, - }, "tags": [], "user": { "fullname": "PY C",