Commit 7bb95b09 authored by Vivek Das Mohapatra's avatar Vivek Das Mohapatra

Use the allowbuilddep in meta config to whitelist project access

Allow projects mentioned as <allowbuilddep name="accessing-project"/>
entries in the meta config of another project to fetch build
dependencies from that project unconditionally.
parent 309e5a9e
......@@ -1729,7 +1729,8 @@ class Project < ActiveRecord::Base
target_project = Project.get_by_name(target_project_name)
# user can access tprj, but backend would refuse to take binaries from there
if target_project.class == Project && target_project.disabled_for?('access', nil, nil)
return { error: "The current backend implementation is not using binaries from read access protected projects #{target_project_name}"}
# RBEI modification to ACL logic: upstream returns an { error: "… read access protected …" } here.
logger.info "Project #{project_name} depends on restricted project #{target_project_name}"
end
end
logger.debug "Project #{project_name} repository path checked against #{target_project_name} projects permission"
......
......@@ -42,6 +42,19 @@ sub checkaccess {
return $access;
}
sub checkbuilddepok {
my ($gctx, $projid, $aprojid) = @_;
my $adata = $gctx->{projpacks}->{$aprojid} || {};
my $allow = $adata->{allowbuilddep} || [];
foreach my $a ( grep { ref($_) eq 'HASH' } @$allow ) {
if( $a->{name} eq $projid ) { return 1; }
}
return 0;
}
# check if every user from oprojid may access projid
sub checkroles {
my ($gctx, $type, $projid, $packid, $oprojid, $opackid) = @_;
......@@ -101,6 +114,13 @@ sub checkprpaccess {
# ok if aprp is not protected
return 1 if checkaccess($gctx, 'access', $aprojid, undef, $arepoid);
my ($projid, $repoid) = split('/', $prp, 2);
#################################################################
# this is an RBEI modification
# ok if prp has access to aprp (via allowbuilddep in project meta):
return 1 if checkbuilddepok($gctx, $projid, $aprojid);
#################################################################
# not ok if prp is unprotected
return 0 if checkaccess($gctx, 'access', $projid, undef, $repoid);
# both prp and aprp are proteced.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment