Acl hacks
https://phabricator.apertis.org/T5645
Permit private (access-disabled) projects to be used by other projects for build dependencies.
- Other private projects need no special permissions
- Public (access-enabled) projects must be whitelisted by the private project
- This is via an in the private project's meta config
- Users with read permission for a public project but not for a project it depends on may view the public project's meta config but will not be able to (safely) save it.
Merge request reports
Activity
You can't add a project to your dependencies unless you already have read access to that project (at least not through the web UI).
I haven't checkd whether you can do it through osc (which I agree would make this too open).
If it does work through osc, we can shut down that access permission and allow strict whitelisting only for hidden projects (I think it's a further one-line change from what I can see - it is pre-existing behaviour though).
-
Ok, the osc behaviour is a little strange. It seems to prevent people with access to the hidden project from seeing the full meta config of the public one (hiding the secret project). It does allow full view of the hidden project (to authorised users).
Digging into what's going on because I find this quite strange.
-
Ok, there's a cosmetic/info leak problem with the osc meta related code paths (the cache is global but different users now have slightly different views of the xml meta config) - disabling the cache for this code path is easy (once you know it needs to be done). Patch to follow shortly.
Once that's done you can't get at a project you don't have read access to, not even by tweaking the meta config. Attempting to do so will result in a 404 error from osc or a similar error in the web ui.
added 1 commit
- 4a9a792c - Invalidate the rails cache for project meta xml in show_project_meta
mentioned in commit 2d3e28c3
