#1685 Tag permission can be used for un/tagBuildBypass
Merged 2 years ago by tkopecek. Opened 2 years ago by breilly.
breilly/koji tagbuildbypass-1510  into  master

file modified
+2 -1
@@ -51,7 +51,8 @@ 

    Restricted permission for handling host-related management tasks.

  

  ``tag``

-   Permission for adding/deleting/editing tags

+   Permission for adding/deleting/editing tags.

+   Allows use of the tagBuildBypass and untagBuildBypass API calls.

  

  ``target``

    Permission for adding/deleting/editing targets

file modified
+18 -4
@@ -9856,13 +9856,20 @@ 

          """Tag a build without running post checks

  

          This is a short circuit function for imports.

-         Admin permission required.

+         Admin or tag permission required.

  

          Tagging with a locked tag is not allowed unless force is true.

          Retagging is not allowed unless force is true. (retagging changes the order

          of entries will affect which build is the latest)

          """

-         context.session.assertPerm('admin')

+         if force:

+             context.session.assertPerm('admin')

+         else:

+             context.session.assertPerm('tag')

+             tag_id = get_tag(tag, strict=True)['id']

+             build_id = get_build(build, strict=True)['id']

+             policy_data = {'tag' : tag_id, 'build' : build_id, 'fromtag' : None, 'operation' : 'tag'}

+             assert_policy('tag', policy_data)

          _tag_build(tag, build, force=force)

          if notify:

              tag_notification(True, tag, None, build, context.session.user_id)
@@ -9955,11 +9962,18 @@ 

      def untagBuildBypass(self, tag, build, strict=True, force=False, notify=True):

          """Untag a build without any checks

  

-         Admins only. Intended for syncs/imports.

+         Admin and tag permission only. Intended for syncs/imports.

  

          Unlike tagBuild, this does not create a task

          No return value"""

-         context.session.assertPerm('admin')

+         if force:

+             context.session.assertPerm('admin')

+         else:

+             context.session.assertPerm('tag')

+             tag_id = get_tag(tag, strict=True)['id']

+             build_id = get_build(build, strict=True)['id']

+             policy_data = {'tag' : None, 'build' : build_id, 'fromtag' : tag_id, 'operation' : 'untag'}

+             assert_policy('tag', policy_data)

          _untag_build(tag, build, strict=strict, force=force)

          if notify:

              tag_notification(True, None, tag, build, context.session.user_id)

rebased onto f0bc357

2 years ago

@breilly could you please update the doc for permissions as well?
This PR gives a new ability to "tag" perm.

1 new commit added

  • Updated docs for tag permission
2 years ago

Metadata Update from @tkopecek:
- Pull-request tagged with: testing-ready

2 years ago

Commit 281a664 fixes this pull-request

Pull-Request has been merged by tkopecek

2 years ago