From 281a664a07008c59e691e2cfc74de4cf1ffc1e13 Mon Sep 17 00:00:00 2001
From: Tomas Kopecek <tkopecek@redhat.com>
Date: Oct 14 2019 08:25:43 +0000
Subject: PR#1685: Tag permission can be used for un/tagBuildBypass


Merges #1685
https://pagure.io/koji/pull-request/1685

Fixes: #1510
tag permission vs un/tagBuildBypass
https://pagure.io/koji/issue/1510

---

diff --git a/docs/source/permissions.rst b/docs/source/permissions.rst
index f96597b..f1c93b3 100644
--- a/docs/source/permissions.rst
+++ b/docs/source/permissions.rst
@@ -51,7 +51,8 @@ The following permissions govern access to key administrative actions.
   Restricted permission for handling host-related management tasks.
 
 ``tag``
-  Permission for adding/deleting/editing tags
+  Permission for adding/deleting/editing tags.
+  Allows use of the tagBuildBypass and untagBuildBypass API calls.
 
 ``target``
   Permission for adding/deleting/editing targets
diff --git a/hub/kojihub.py b/hub/kojihub.py
index bcf2a2d..724df28 100644
--- a/hub/kojihub.py
+++ b/hub/kojihub.py
@@ -9991,13 +9991,20 @@ class RootExports(object):
         """Tag a build without running post checks
 
         This is a short circuit function for imports.
-        Admin permission required.
+        Admin or tag permission required.
 
         Tagging with a locked tag is not allowed unless force is true.
         Retagging is not allowed unless force is true. (retagging changes the order
         of entries will affect which build is the latest)
         """
-        context.session.assertPerm('admin')
+        if force:
+            context.session.assertPerm('admin')
+        else:
+            context.session.assertPerm('tag')
+            tag_id = get_tag(tag, strict=True)['id']
+            build_id = get_build(build, strict=True)['id']
+            policy_data = {'tag' : tag_id, 'build' : build_id, 'fromtag' : None, 'operation' : 'tag'}
+            assert_policy('tag', policy_data)
         _tag_build(tag, build, force=force)
         if notify:
             tag_notification(True, tag, None, build, context.session.user_id)
@@ -10090,11 +10097,18 @@ class RootExports(object):
     def untagBuildBypass(self, tag, build, strict=True, force=False, notify=True):
         """Untag a build without any checks
 
-        Admins only. Intended for syncs/imports.
+        Admin and tag permission only. Intended for syncs/imports.
 
         Unlike tagBuild, this does not create a task
         No return value"""
-        context.session.assertPerm('admin')
+        if force:
+            context.session.assertPerm('admin')
+        else:
+            context.session.assertPerm('tag')
+            tag_id = get_tag(tag, strict=True)['id']
+            build_id = get_build(build, strict=True)['id']
+            policy_data = {'tag' : None, 'build' : build_id, 'fromtag' : tag_id, 'operation' : 'untag'}
+            assert_policy('tag', policy_data)
         _untag_build(tag, build, strict=strict, force=force)
         if notify:
             tag_notification(True, None, tag, build, context.session.user_id)