Integrated: 1903: Verify User's repository access when processing backport command
Zhao Song
zsong at openjdk.org
Mon Jun 5 16:02:20 UTC 2023
On Tue, 9 May 2023 21:05:01 GMT, Zhao Song <zsong at openjdk.org> wrote:
> In GitLab, every project is under a group. If a user doesn't have access to the group, then the user will not be able to see any project under the group.
>
> However, when processing backport command, the bot will not verify user's group membership, so that it's possible for the bot to create a pull request that is invisible to the user.
>
> For example, if a user has access to "groupA" but not "groupB", then he can issue the "/backport groupB/repo2" command on one of the commits in "groupA/repo1". In this case, Skara bot would create a PR that is invisible to the user.
>
> To fix this issue, we need to verify user's membership after we get the targetRepo. `GitLabRepository#canPush` is very helpful.
This pull request has now been integrated.
Changeset: 1ac2ffa4
Author: Zhao Song <zsong at openjdk.org>
URL: https://git.openjdk.org/skara/commit/1ac2ffa4e297eba8dec482bc524be87aa5becfa7
Stats: 37 lines in 6 files changed: 37 ins; 0 del; 0 mod
1903: Verify User's repository access when processing backport command
Reviewed-by: erikj
-------------
PR: https://git.openjdk.org/skara/pull/1516
More information about the skara-dev
mailing list