From f0bc357a43f03479432a63b74b2927ed56fe704b Mon Sep 17 00:00:00 2001
From: Brendan Reilly <breilly@redhat.com>
Date: Oct 08 2019 20:15:06 +0000
Subject: [PATCH 1/2] Tag permission can be used for un/tagBuildBypass


Fixes: #1510

---

diff --git a/hub/kojihub.py b/hub/kojihub.py
index 1547c7f..6c52615 100644
--- a/hub/kojihub.py
+++ b/hub/kojihub.py
@@ -9856,13 +9856,20 @@ class RootExports(object):
         """Tag a build without running post checks
 
         This is a short circuit function for imports.
-        Admin permission required.
+        Admin or tag permission required.
 
         Tagging with a locked tag is not allowed unless force is true.
         Retagging is not allowed unless force is true. (retagging changes the order
         of entries will affect which build is the latest)
         """
-        context.session.assertPerm('admin')
+        if force:
+            context.session.assertPerm('admin')
+        else:
+            context.session.assertPerm('tag')
+            tag_id = get_tag(tag, strict=True)['id']
+            build_id = get_build(build, strict=True)['id']
+            policy_data = {'tag' : tag_id, 'build' : build_id, 'fromtag' : None, 'operation' : 'tag'}
+            assert_policy('tag', policy_data)
         _tag_build(tag, build, force=force)
         if notify:
             tag_notification(True, tag, None, build, context.session.user_id)
@@ -9955,11 +9962,18 @@ class RootExports(object):
     def untagBuildBypass(self, tag, build, strict=True, force=False, notify=True):
         """Untag a build without any checks
 
-        Admins only. Intended for syncs/imports.
+        Admin and tag permission only. Intended for syncs/imports.
 
         Unlike tagBuild, this does not create a task
         No return value"""
-        context.session.assertPerm('admin')
+        if force:
+            context.session.assertPerm('admin')
+        else:
+            context.session.assertPerm('tag')
+            tag_id = get_tag(tag, strict=True)['id']
+            build_id = get_build(build, strict=True)['id']
+            policy_data = {'tag' : None, 'build' : build_id, 'fromtag' : tag_id, 'operation' : 'untag'}
+            assert_policy('tag', policy_data)
         _untag_build(tag, build, strict=strict, force=force)
         if notify:
             tag_notification(True, None, tag, build, context.session.user_id)

From 3d76bc65eb9958d7253649c9e91142bbbb8cde25 Mon Sep 17 00:00:00 2001
From: Brendan Reilly <breilly@redhat.com>
Date: Oct 09 2019 17:33:12 +0000
Subject: [PATCH 2/2] Updated docs for tag permission


---

diff --git a/docs/source/permissions.rst b/docs/source/permissions.rst
index f96597b..f1c93b3 100644
--- a/docs/source/permissions.rst
+++ b/docs/source/permissions.rst
@@ -51,7 +51,8 @@ The following permissions govern access to key administrative actions.
   Restricted permission for handling host-related management tasks.
 
 ``tag``
-  Permission for adding/deleting/editing tags
+  Permission for adding/deleting/editing tags.
+  Allows use of the tagBuildBypass and untagBuildBypass API calls.
 
 ``target``
   Permission for adding/deleting/editing targets