#2203 hub: admin can't force tag now
Merged 2 years ago by tkopecek. Opened 2 years ago by tkopecek.
tkopecek/koji issue2202  into  master

file modified
+9 -7
@@ -9760,7 +9760,7 @@ 

          access: True if the policy result is allow, false otherwise

          reason: reason for the access

      If strict is True, will raise ActionNotAllowed if the action is not 'allow'

-     If force is True, policy will pass, but action will be logged

+     If force is True, policy will pass (under admin), but action will be logged

      """

      ruleset = context.policy.get(name)

      if not ruleset:
@@ -9791,12 +9791,14 @@ 

      if result != 'deny':

          reason = 'error in policy'

          logger.error("Invalid action in policy %s, rule: %s", name, lastrule)

-     if force and context.session.hasPerm('admin'):

-         msg = "Policy %s overriden by force: %s" % (name, context.session.user_data["name"])

-         if reason:

-             msg += ": %s" % reason

-         logger.info(msg)

-         return True, "overriden by force"

+     if force:

+         user = policy_get_user(data)

+         if user and 'admin' in koji.auth.get_user_perms(user['id']):

+             msg = "Policy %s overriden by force: %s" % (name, user["name"])

+             if reason:

+                 msg += ": %s" % reason

+             logger.info(msg)

+             return True, "overriden by force"

      if not strict:

          return False, reason

      err_str = "policy violation (%s)" % name

Metadata Update from @tkopecek:
- Pull-request tagged with: testing-ready

2 years ago

Metadata Update from @jcupova:
- Pull-request tagged with: testing-done

2 years ago

policy_get_user() can return None. Granted, in places we're checking policy, it really shouldn't be doing so, but we should still allow for the possibility given how flexible and widespread the policy bits are.

1 new commit added

  • don't traceback on missing user
2 years ago

Commit 9b67c6c fixes this pull-request

Pull-Request has been merged by tkopecek

2 years ago