From 289d980dadd36ad8bd97417e66d19f1329e7a1e7 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: May 09 2017 02:13:15 +0000
Subject: Some more checks in the API regarding who is allowed to do what.


Rename _check_issue_access_repo_commiter to _check_private_issue_access
since this is what the method does, it checks only for private issue if
the user has enough rights to access it.

Create a _check_ticket_access which is used in some of the endpoints to
ensure the user either has commit access if the ticket is private or has
ticket access if the ticket is public.

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>

---

diff --git a/pagure/api/issue.py b/pagure/api/issue.py
index 58f934e..865856b 100644
--- a/pagure/api/issue.py
+++ b/pagure/api/issue.py
@@ -18,7 +18,8 @@ import pagure.exceptions
 import pagure.lib
 
 from pagure import (
-    APP, SESSION, is_repo_committer, api_authenticated, urlpattern
+    APP, SESSION, is_repo_committer, api_authenticated,
+    urlpattern, is_repo_user
 )
 from pagure.api import (
     API, api_method, api_login_required, api_login_optional, APIERROR
@@ -87,7 +88,7 @@ def _get_issue(repo, issueid, issueuid=None):
     return issue
 
 
-def _check_issue_access_repo_commiter(issue):
+def _check_private_issue_access(issue):
     """Check if user can access issue. Must be repo commiter
     or author to see private issues.
     :param issue: issue object
@@ -105,6 +106,20 @@ def _check_issue_access_repo_commiter(issue):
             403, error_code=APIERROR.EISSUENOTALLOWED)
 
 
+def _check_ticket_access(issue):
+    """Check if user can access issue. Must be repo commiter
+    or author to see private issues.
+    :param issue: issue object
+    :raises pagure.exceptions.APIError: when access denied
+    """
+    # Private tickets require commit access
+    _check_private_issue_access(issue)
+    # Public tickets require ticket access
+    if not is_repo_user(issue.project):
+        raise pagure.exceptions.APIError(
+            403, error_code=APIERROR.EISSUENOTALLOWED)
+
+
 @API.route('/<repo>/new_issue', methods=['POST'])
 @API.route('/<namespace>/<repo>/new_issue', methods=['POST'])
 @API.route('/fork/<username>/<repo>/new_issue', methods=['POST'])
@@ -526,7 +541,7 @@ def api_view_issue(repo, issueid, username=None, namespace=None):
         issue_uid = issueid
 
     issue = _get_issue(repo, issue_id, issueuid=issue_uid)
-    _check_issue_access_repo_commiter(issue)
+    _check_private_issue_access(issue)
 
     jsonout = flask.jsonify(
         issue.to_json(public=True, with_comments=comments))
@@ -593,7 +608,7 @@ def api_view_issue_comment(
         issue_uid = issueid
 
     issue = _get_issue(repo, issue_id, issueuid=issue_uid)
-    _check_issue_access_repo_commiter(issue)
+    _check_private_issue_access(issue)
 
     comment = pagure.lib.get_issue_comment(SESSION, issue.uid, commentid)
     if not comment:
@@ -665,7 +680,7 @@ def api_change_status_issue(repo, issueid, username=None, namespace=None):
     _check_token(repo)
 
     issue = _get_issue(repo, issueid)
-    _check_issue_access_repo_commiter(issue)
+    _check_ticket_access(issue)
 
     status = pagure.lib.get_issue_statuses(SESSION)
     form = pagure.forms.StatusForm(
@@ -673,6 +688,11 @@ def api_change_status_issue(repo, issueid, username=None, namespace=None):
         close_status=repo.close_status,
         csrf_enabled=False)
 
+    if not pagure.is_repo_user(repo) \
+            and flask.g.fas_user.username != issue.user.user:
+        raise pagure.exceptions.APIError(
+            403, error_code=APIERROR.EISSUENOTALLOWED)
+
     close_status = None
     if form.close_status.raw_data:
         close_status = form.close_status.data
@@ -778,7 +798,7 @@ def api_change_milestone_issue(repo, issueid, username=None, namespace=None):
     _check_token(repo)
 
     issue = _get_issue(repo, issueid)
-    _check_issue_access_repo_commiter(issue)
+    _check_ticket_access(issue)
 
     form = pagure.forms.MilestoneForm(
         milestones=repo.milestones.keys(),
@@ -877,7 +897,7 @@ def api_comment_issue(repo, issueid, username=None, namespace=None):
     _check_token(repo, project_token=False)
 
     issue = _get_issue(repo, issueid)
-    _check_issue_access_repo_commiter(issue)
+    _check_private_issue_access(issue)
 
     form = pagure.forms.CommentForm(csrf_enabled=False)
     if form.validate_on_submit():
@@ -957,7 +977,7 @@ def api_assign_issue(repo, issueid, username=None, namespace=None):
     _check_token(repo)
 
     issue = _get_issue(repo, issueid)
-    _check_issue_access_repo_commiter(issue)
+    _check_ticket_access(issue)
 
     form = pagure.forms.AssignIssueForm(csrf_enabled=False)
     if form.validate_on_submit():
@@ -1055,7 +1075,7 @@ def api_subscribe_issue(repo, issueid, username=None, namespace=None):
     _check_token(repo)
 
     issue = _get_issue(repo, issueid)
-    _check_issue_access_repo_commiter(issue)
+    _check_private_issue_access(issue)
 
     form = pagure.forms.SubscribtionForm(csrf_enabled=False)
     if form.validate_on_submit():
@@ -1138,7 +1158,7 @@ def api_update_custom_field(
     _check_token(repo)
 
     issue = _get_issue(repo, issueid)
-    _check_issue_access_repo_commiter(issue)
+    _check_ticket_access(issue)
 
     fields = {k.name: k for k in repo.issue_keys}
     if field not in fields: