Restrict webhooks to trusted users

This commit is contained in:
rubenwardy 2020-01-25 00:04:56 +00:00
parent e12aec4ccd
commit 493917d8b1
2 changed files with 13 additions and 5 deletions

@ -23,7 +23,7 @@ from flask_user import current_user, login_required
from sqlalchemy import func from sqlalchemy import func
from flask_github import GitHub from flask_github import GitHub
from app import github, csrf from app import github, csrf
from app.models import db, User, APIToken, Package from app.models import db, User, APIToken, Package, Permission
from app.utils import loginUser, randomString from app.utils import loginUser, randomString
from app.blueprints.api.support import error, handleCreateRelease from app.blueprints.api.support import error, handleCreateRelease
import hmac, requests, json import hmac, requests, json
@ -114,6 +114,9 @@ def webhook():
if actual_token is None: if actual_token is None:
return error(403, "Invalid authentication") return error(403, "Invalid authentication")
if not package.checkPerm(actual_token.owner, Permission.APPROVE_RELEASE):
return error(403, "Only trusted members can use webhooks")
# #
# Check event # Check event
# #
@ -163,6 +166,10 @@ def setup_webhook():
if package is None: if package is None:
abort(404) abort(404)
if not package.checkPerm(current_user, Permission.APPROVE_RELEASE):
flash("Only trusted members can use webhooks", "danger")
return redirect(package.getDetailsURL())
gh_user, gh_repo = package.getGitHubFullName() gh_user, gh_repo = package.getGitHubFullName()
if gh_user is None or gh_repo is None: if gh_user is None or gh_repo is None:
flash("Unable to get Github full name from repo address", "danger") flash("Unable to get Github full name from repo address", "danger")
@ -207,15 +214,16 @@ def setup_webhook():
db.session.commit() db.session.commit()
return redirect(package.getDetailsURL()) return redirect(package.getDetailsURL())
elif r.status_code == 403: elif r.status_code == 401 or r.status_code == 403:
current_user.github_access_token = None current_user.github_access_token = None
db.session.commit() db.session.commit()
return github.authorize("write:repo_hook", \ return github.authorize("write:repo_hook", \
redirect_uri=url_for("github.callback_webhook", pid=pid, _external=True)) redirect_uri=url_for("github.callback_webhook", pid=pid, _external=True))
else: else:
flash("Failed to create webhook, received response from Github: " + flash("Failed to create webhook, received response from Github " +
str(r.json().get("message") or r.status_code), "danger") str(r.status_code) + ": " +
str(r.json().get("message")), "danger")
return render_template("github/setup_webhook.html", \ return render_template("github/setup_webhook.html", \
form=form, package=package) form=form, package=package)

@ -364,7 +364,7 @@
</ul> </ul>
</div> </div>
{% if package.getIsOnGitHub() %} {% if package.author == current_user and package.checkPerm(current_user, "APPROVE_RELEASE") and package.getIsOnGitHub() %}
<p class="small text-centered"> <p class="small text-centered">
<a href="{{ url_for('github.setup_webhook', pid=package.id) }}"> <a href="{{ url_for('github.setup_webhook', pid=package.id) }}">
Set up a webhook Set up a webhook