RFR: 1903: Verify User's group membership when processing backport command [v2]
Zhao Song
zsong at openjdk.org
Tue May 9 22:18:20 UTC 2023
> In GitLab, every project is under a group. If a user doesn't have access to the group, then the user will not be able to see any project under the group.
>
> However, when processing backport command, the bot will not verify user's group membership, so that it's possible for the bot to create a pull request that is invisible to the user.
>
> For example, if a user has access to "groupA" but not "groupB", then he can issue the "/backport groupB/repo2" command on one of the commits in "groupA/repo1". In this case, Skara bot would create a PR that is invisible to the user.
>
> To fix this issue, we need to verify user's membership after we get the targetRepo. `GitLabRepository#canPush` is very helpful.
Zhao Song has updated the pull request incrementally with one additional commit since the last revision:
Update bots/pr/src/main/java/org/openjdk/skara/bots/pr/BackportCommand.java
Co-authored-by: Erik Joelsson <37597443+erikj79 at users.noreply.github.com>
-------------
Changes:
- all: https://git.openjdk.org/skara/pull/1516/files
- new: https://git.openjdk.org/skara/pull/1516/files/88f81e3c..0bb6a3a6
Webrevs:
- full: https://webrevs.openjdk.org/?repo=skara&pr=1516&range=01
- incr: https://webrevs.openjdk.org/?repo=skara&pr=1516&range=00-01
Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod
Patch: https://git.openjdk.org/skara/pull/1516.diff
Fetch: git fetch https://git.openjdk.org/skara.git pull/1516/head:pull/1516
PR: https://git.openjdk.org/skara/pull/1516
More information about the skara-dev
mailing list