legacy api: check private job ownership everywhere

2023-11-22 16:30:10 +01:00 · 2023-11-22 16:30:10 +01:00 · 4d5a076cd5
parent 6fe759ae2d
commit 4d5a076cd5
1 changed files with 9 additions and 6 deletions
--- a/buildsrht/blueprints/api.py
+++ b/buildsrht/blueprints/api.py
@ -8,7 +8,7 @@ from srht.validation import Validation
 from srht.oauth import oauth, current_token
 from buildsrht.runner import requires_payment
 from buildsrht.types import Artifact, Job, JobStatus, Task, JobGroup
-from buildsrht.types import Trigger, TriggerType, TriggerCondition
+from buildsrht.types import Visibility, Trigger, TriggerType, TriggerCondition
 from buildsrht.manifest import Manifest
 import sqlalchemy as sa
 import json
@ -109,7 +109,8 @@ def jobs_by_id_GET(job_id):
    job = Job.query.filter(Job.id == job_id).options(sa.orm.joinedload(Job.tasks)).first()
    if not job:
        abort(404)
-    # TODO: ACLs
+    if job.visibility == Visibility.PRIVATE and job.owner_id != current_token.user_id:
+        abort(404) # TODO: ACLs
    return job.to_dict()

@api.route("/api/jobs/<int:job_id>/artifacts")
@ -118,15 +119,18 @@ def artifacts_by_job_id_GET(job_id):
    job = Job.query.filter(Job.id == job_id).first()
    if not job:
        abort(404)
+    if job.visibility == Visibility.PRIVATE and job.owner_id != current_token.user_id:
+        abort(404) # TODO: ACLs
    artifacts = Artifact.query.filter(Artifact.job_id == job.id)
    return paginated_response(Artifact.id, artifacts)

@api.route("/api/jobs/<int:job_id>/manifest")
 def jobs_by_id_manifest_GET(job_id):
-    # TODO: ACLs
    job = Job.query.filter(Job.id == job_id).first()
    if not job:
        abort(404)
+    if job.visibility == Visibility.PRIVATE and job.owner_id != current_token.user_id:
+        abort(404) # TODO: ACLs
    return Response(job.manifest, content_type="text/plain")

@api.route("/api/jobs/<int:job_id>/start", methods=["POST"])
@ -135,8 +139,7 @@ def jobs_by_id_start_POST(job_id):
    job = Job.query.filter(Job.id == job_id).first()
    if not job:
        abort(404)
-    if job.owner_id != current_token.user_id:
-        abort(401) # TODO: ACLs
+    # ACLs checked in GraphQL
    if job.status != JobStatus.pending:
        reason_map = {
            JobStatus.queued: "queued",
@ -163,7 +166,7 @@ def jobs_by_id_cancel_POST(job_id):
    if not job:
        abort(404)
    if job.owner_id != current_token.user_id:
-        abort(401)
+        abort(404)
    requests.post(f"http://{job.runner}/job/{job.id}/cancel")
    return { }