RFR: 1903: Verify User's group membership when processing backport command
Zhao Song
zsong at openjdk.org
Tue May 9 21:23:41 UTC 2023
In GitLab, every project is under a group. If a user doesn't have access to the group, then the user will not be able to see any project under the group.
However, when processing backport command, the bot will not verify user's group membership, so that it's possible for the bot to create a pull request that is invisible to the user.
For example, if a user has access to "groupA" but not "groupB", then he can issue the "/backport groupB/repo2" command on one of the commits in "groupA/repo1". In this case, Skara bot would create a PR that is invisible to the user.
To fix this issue, we need to verify user's membership after we get the targetRepo. `GitLabRepository#canPush` is very helpful.
-------------
Commit messages:
- SKARA-1903
Changes: https://git.openjdk.org/skara/pull/1516/files
Webrev: https://webrevs.openjdk.org/?repo=skara&pr=1516&range=00
Issue: https://bugs.openjdk.org/browse/SKARA-1903
Stats: 20 lines in 1 file changed: 20 ins; 0 del; 0 mod
Patch: https://git.openjdk.org/skara/pull/1516.diff
Fetch: git fetch https://git.openjdk.org/skara.git pull/1516/head:pull/1516
PR: https://git.openjdk.org/skara/pull/1516
More information about the skara-dev
mailing list