RFR: 1903: Verify User's repository access when processing backport command [v4]

Erik Joelsson erikj at openjdk.org
Wed May 10 13:06:43 UTC 2023

On Tue, 9 May 2023 22:59:02 GMT, Zhao Song <zsong at openjdk.org> wrote:

>> In GitLab, every project is under a group. If a user doesn't have access to the group, then the user will not be able to see any project under the group. 
>> However, when processing backport command, the bot will not verify user's group membership, so that it's possible for the bot to create a pull request that is invisible to the user. 
>> For example, if a user has access to "groupA" but not "groupB", then he can issue the "/backport groupB/repo2" command on one of the commits in "groupA/repo1". In this case, Skara bot would create a PR that is invisible to the user.
>> To fix this issue, we need to verify user's membership after we get the targetRepo. `GitLabRepository#canPush` is very helpful.
> Zhao Song has updated the pull request incrementally with one additional commit since the last revision:
>   rename method

Marked as reviewed by erikj (Lead).


PR Review: https://git.openjdk.org/skara/pull/1516#pullrequestreview-1420599000

More information about the skara-dev mailing list