fix: secure access to comment edits to user who owns the comment

Found along with the previous commit to be a security hole in our implementation. This commit resolves an issue regarding comment editing. Signed-off-by: Kevin Morris <kevr@0cost.org>
2025-02-03 10:43:03 +01:00 · 2022-08-15 14:49:34 -07:00 · 2022-08-15 14:49:34 -07:00 · 15d016eb70
commit 15d016eb70
parent 7a52da5587
2 changed files with 18 additions and 0 deletions
--- a/aurweb/routers/pkgbase.py
+++ b/aurweb/routers/pkgbase.py
@ -286,6 +286,8 @@ async def pkgbase_comment_post(

    if not comment:
        raise HTTPException(status_code=HTTPStatus.BAD_REQUEST)
+    elif request.user.ID != db_comment.UsersID:
+        raise HTTPException(status_code=HTTPStatus.UNAUTHORIZED)

    # If the provided comment is different than the record's version,
    # update the db record.
--- a/test/test_pkgbase_routes.py
+++ b/test/test_pkgbase_routes.py
@ -467,6 +467,22 @@ def test_pkgbase_comments(client: TestClient, maintainer: User, user: User,
    assert "form" in data


+def test_pkgbase_comment_edit_unauthorized(client: TestClient,
+                                           user: User,
+                                           maintainer: User,
+                                           package: Package,
+                                           comment: PackageComment):
+    pkgbase = package.PackageBase
+
+    cookies = {"AURSID": maintainer.login(Request(), "testPassword")}
+    with client as request:
+        endp = f"/pkgbase/{pkgbase.Name}/comments/{comment.ID}"
+        response = request.post(endp, data={
+            "comment": "abcd im trying to change this comment."
+        }, cookies=cookies)
+    assert response.status_code == HTTPStatus.UNAUTHORIZED
+
+
 def test_pkgbase_comment_delete(client: TestClient,
                                maintainer: User,
                                user: User,