#4295 Fix delete permission detection for PRs against the same repo
Opened 9 months ago by puiterwijk. Modified 8 months ago
puiterwijk/pagure fix_delete_difproj  into  master

file modified
+6 -2

@@ -331,7 +331,9 @@ 

      can_delete_branch = (

          pagure_config.get("ALLOW_DELETE_BRANCH", True)

          and not request.remote_git

-         and pagure.utils.is_repo_committer(request.project_from)

+         and pagure.utils.is_repo_committer(

+             request.project_from or request.project

+         )

      )

      return flask.render_template(

          "repo_pull_request.html",

@@ -1134,7 +1136,9 @@ 

                      requestid=requestid,

                  )

              )

-         if not pagure.utils.is_repo_committer(request.project_from):

+         if not pagure.utils.is_repo_committer(

+             request.project_from or request.project

+         ):

              flask.flash(

                  "You do not have permissions to delete the branch in the "

                  "source repo",

If the repository the PR is against is the same as the PR is from, "request.project_from"
is None, and we should check "request.project" to see whether the person has permission
to delete branches.

This was causing "repo_obj" in is_repo_committer to be None.
The reason this wasn't encountered by any admins is because is_repo_committer returns
True with "is_admin()" before it even gets to using repo_obj.

Signed-off-by: Patrick Uiterwijk patrick@puiterwijk.org

rebased onto eb4d17dd0a9db25bea7540718761bfaa69063afb

9 months ago

Oh, nice catch!

Should we add tests for this somewhere?

rebased onto e88504b

9 months ago

I'd love to get this in 5.4 but I'd want unit-tests for it :(