legacy api: check private job ownership everywhere
This commit is contained in:
parent
6fe759ae2d
commit
4d5a076cd5
|
@ -8,7 +8,7 @@ from srht.validation import Validation
|
|||
from srht.oauth import oauth, current_token
|
||||
from buildsrht.runner import requires_payment
|
||||
from buildsrht.types import Artifact, Job, JobStatus, Task, JobGroup
|
||||
from buildsrht.types import Trigger, TriggerType, TriggerCondition
|
||||
from buildsrht.types import Visibility, Trigger, TriggerType, TriggerCondition
|
||||
from buildsrht.manifest import Manifest
|
||||
import sqlalchemy as sa
|
||||
import json
|
||||
|
@ -109,7 +109,8 @@ def jobs_by_id_GET(job_id):
|
|||
job = Job.query.filter(Job.id == job_id).options(sa.orm.joinedload(Job.tasks)).first()
|
||||
if not job:
|
||||
abort(404)
|
||||
# TODO: ACLs
|
||||
if job.visibility == Visibility.PRIVATE and job.owner_id != current_token.user_id:
|
||||
abort(404) # TODO: ACLs
|
||||
return job.to_dict()
|
||||
|
||||
@api.route("/api/jobs/<int:job_id>/artifacts")
|
||||
|
@ -118,15 +119,18 @@ def artifacts_by_job_id_GET(job_id):
|
|||
job = Job.query.filter(Job.id == job_id).first()
|
||||
if not job:
|
||||
abort(404)
|
||||
if job.visibility == Visibility.PRIVATE and job.owner_id != current_token.user_id:
|
||||
abort(404) # TODO: ACLs
|
||||
artifacts = Artifact.query.filter(Artifact.job_id == job.id)
|
||||
return paginated_response(Artifact.id, artifacts)
|
||||
|
||||
@api.route("/api/jobs/<int:job_id>/manifest")
|
||||
def jobs_by_id_manifest_GET(job_id):
|
||||
# TODO: ACLs
|
||||
job = Job.query.filter(Job.id == job_id).first()
|
||||
if not job:
|
||||
abort(404)
|
||||
if job.visibility == Visibility.PRIVATE and job.owner_id != current_token.user_id:
|
||||
abort(404) # TODO: ACLs
|
||||
return Response(job.manifest, content_type="text/plain")
|
||||
|
||||
@api.route("/api/jobs/<int:job_id>/start", methods=["POST"])
|
||||
|
@ -135,8 +139,7 @@ def jobs_by_id_start_POST(job_id):
|
|||
job = Job.query.filter(Job.id == job_id).first()
|
||||
if not job:
|
||||
abort(404)
|
||||
if job.owner_id != current_token.user_id:
|
||||
abort(401) # TODO: ACLs
|
||||
# ACLs checked in GraphQL
|
||||
if job.status != JobStatus.pending:
|
||||
reason_map = {
|
||||
JobStatus.queued: "queued",
|
||||
|
@ -163,7 +166,7 @@ def jobs_by_id_cancel_POST(job_id):
|
|||
if not job:
|
||||
abort(404)
|
||||
if job.owner_id != current_token.user_id:
|
||||
abort(401)
|
||||
abort(404)
|
||||
requests.post(f"http://{job.runner}/job/{job.id}/cancel")
|
||||
return { }
|
||||
|
||||
|
|
Loading…
Reference in New Issue