ami/tl-vikunja
1
0
Fork 0
Code

fix(projects): properly check if a user or link share is allowed to create a new project

Browse Source
This commit is contained in:
kolaente 2023-01-12 16:49:52 +01:00
parent 03eb4ecd07
commit 154ac61d7c
No known key found for this signature in database
GPG Key ID: F40E70337AB24C9B
2 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/integrations/link_sharing_test.go
View File

@ -276,7 +276,7 @@ func TestLinkSharing(t *testing.T) {
// Creating a project should always be forbidden // Creating a project should always be forbidden
t.Run("Create", func(t *testing.T) { t.Run("Create", func(t *testing.T) {
t.Run("Nonexisting", func(t *testing.T) { t.Run("Nonexisting", func(t *testing.T) {
_, err := testHandlerProjectReadOnly.testCreateWithLinkShare(nil, map[string]string{"namespace": "999999"}, `{"title":"Lorem"}`) _, err := testHandlerProjectReadOnly.testCreateWithLinkShare(nil, nil, `{"title":"Lorem"}`)
assert.Error(t, err) assert.Error(t, err)
assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`) assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
}) })

11
pkg/models/project_rights.go
View File

@ -161,7 +161,16 @@ func (p *Project) CanDelete(s *xorm.Session, a web.Auth) (bool, error) {
// CanCreate checks if the user can create a project // CanCreate checks if the user can create a project
func (p *Project) CanCreate(s *xorm.Session, a web.Auth) (bool, error) { func (p *Project) CanCreate(s *xorm.Session, a web.Auth) (bool, error) {
return p.CanWrite(s, a) if p.ParentProjectID != 0 {
parent := &Project{ID: p.ParentProjectID}
return parent.CanWrite(s, a)
}
// Check if we're dealing with a share auth
_, is := a.(*LinkSharing)
if is {
return false, nil
}
return true, nil
} }
// IsAdmin returns whether the user has admin rights on the project or not // IsAdmin returns whether the user has admin rights on the project or not