From ce86d84c87709ea6efa4bbc16fabe593de5b4a66 Mon Sep 17 00:00:00 2001
From: Tomas Kopecek <tkopecek@redhat.com>
Date: Apr 28 2020 08:10:24 +0000
Subject: [PATCH 1/2] hub: admin can't force tag now


Fixes: https://pagure.io/koji/issue/2202

---

diff --git a/hub/kojihub.py b/hub/kojihub.py
index 960c0c6..9ec9bb8 100644
--- a/hub/kojihub.py
+++ b/hub/kojihub.py
@@ -9760,7 +9760,7 @@ def check_policy(name, data, default='deny', strict=False, force=False):
         access: True if the policy result is allow, false otherwise
         reason: reason for the access
     If strict is True, will raise ActionNotAllowed if the action is not 'allow'
-    If force is True, policy will pass, but action will be logged
+    If force is True, policy will pass (under admin), but action will be logged
     """
     ruleset = context.policy.get(name)
     if not ruleset:
@@ -9791,12 +9791,14 @@ def check_policy(name, data, default='deny', strict=False, force=False):
     if result != 'deny':
         reason = 'error in policy'
         logger.error("Invalid action in policy %s, rule: %s", name, lastrule)
-    if force and context.session.hasPerm('admin'):
-        msg = "Policy %s overriden by force: %s" % (name, context.session.user_data["name"])
-        if reason:
-            msg += ": %s" % reason
-        logger.info(msg)
-        return True, "overriden by force"
+    if force:
+        user = policy_get_user(data)
+        if 'admin' in koji.auth.get_user_perms(user['id']):
+            msg = "Policy %s overriden by force: %s" % (name, user["name"])
+            if reason:
+                msg += ": %s" % reason
+            logger.info(msg)
+            return True, "overriden by force"
     if not strict:
         return False, reason
     err_str = "policy violation (%s)" % name

From 8da87dfd42d63d9252117b331223b4a70f517ac6 Mon Sep 17 00:00:00 2001
From: Tomas Kopecek <tkopecek@redhat.com>
Date: Apr 28 2020 14:08:21 +0000
Subject: [PATCH 2/2] don't traceback on missing user


---

diff --git a/hub/kojihub.py b/hub/kojihub.py
index 9ec9bb8..92fb389 100644
--- a/hub/kojihub.py
+++ b/hub/kojihub.py
@@ -9793,7 +9793,7 @@ def check_policy(name, data, default='deny', strict=False, force=False):
         logger.error("Invalid action in policy %s, rule: %s", name, lastrule)
     if force:
         user = policy_get_user(data)
-        if 'admin' in koji.auth.get_user_perms(user['id']):
+        if user and 'admin' in koji.auth.get_user_perms(user['id']):
             msg = "Policy %s overriden by force: %s" % (name, user["name"])
             if reason:
                 msg += ": %s" % reason