Support NO_AUTH changing owner in patch method

2026-04-07 20:58:27 +08:00 · 2017-03-30 12:21:01 +02:00
parent 0753c6be2d
commit dcba6c8995
2 changed files with 41 additions and 6 deletions
--- a/module_build_service/views.py
+++ b/module_build_service/views.py
@@ -114,6 +114,18 @@ class ModuleBuildAPI(MethodView):
    def patch(self, id):
        username, groups = module_build_service.auth.get_user(request)

+        try:
+            r = json.loads(request.get_data().decode("utf-8"))
+        except:
+            log.error('Invalid JSON submitted')
+            raise ValidationError('Invalid JSON submitted')
+
+        if "owner" in r:
+            if conf.no_auth is not True:
+                raise ValidationError("The request contains 'owner' parameter, however NO_AUTH is not allowed")
+            elif username == "anonymous":
+                username = r["owner"]
+
        if conf.allowed_groups and not (conf.allowed_groups & groups):
            raise Forbidden("%s is not in any of  %r, only %r" % (
                username, conf.allowed_groups, groups))
@@ -126,12 +138,6 @@ class ModuleBuildAPI(MethodView):
            raise Forbidden('You are not owner of this build and '
                            'therefore cannot modify it.')

-        try:
-            r = json.loads(request.get_data().decode("utf-8"))
-        except:
-            log.error('Invalid JSON submitted')
-            raise ValidationError('Invalid JSON submitted')
-
        if not r.get('state'):
            log.error('Invalid JSON submitted')
            raise ValidationError('Invalid JSON submitted')
--- a/tests/test_views/test_views.py
+++ b/tests/test_views/test_views.py
@@ -668,3 +668,32 @@ class TestViews(unittest.TestCase):

        build = ModuleBuild.query.filter(ModuleBuild.id == result['id']).one()
        self.assertTrue(build.owner == result['owner'] == 'foo')
+
+    @patch('module_build_service.auth.get_user', return_value=anonymous_user)
+    @patch('module_build_service.scm.SCM')
+    @patch("module_build_service.config.Config.no_auth", new_callable=PropertyMock)
+    def test_patch_set_different_owner(self, mocked_no_auth, mocked_scm, mocked_get_user):
+        MockedSCM(mocked_scm, 'testmodule', 'testmodule.yaml',
+                  '620ec77321b2ea7b0d67d82992dda3e1d67055b4')
+
+        mocked_no_auth.return_value = True
+        data = {
+            'branch': 'master',
+            'scmurl': 'git://pkgs.stg.fedoraproject.org/modules/'
+                      'testmodule.git?#68931c90de214d9d13feefbd35246a81b6cb8d49',
+            'owner': 'foo',
+        }
+        rv = self.client.post('/module-build-service/1/module-builds/', data=json.dumps(data))
+        r1 = json.loads(rv.data)
+
+        url = '/module-build-service/1/module-builds/' + str(r1['id'])
+        r2 = self.client.patch(url, data=json.dumps({'state': 'failed'}))
+        self.assertEquals(r2.status_code, 403)
+
+        r3 = self.client.patch(url, data=json.dumps({'state': 'failed', 'owner': 'foo'}))
+        self.assertEquals(r3.status_code, 200)
+
+        mocked_no_auth.return_value = False
+        r3 = self.client.patch(url, data=json.dumps({'state': 'failed', 'owner': 'foo'}))
+        self.assertEquals(r3.status_code, 400)
+        self.assertIn("The request contains 'owner' parameter", json.loads(r3.data)['message'])