From 15d016eb704a04d2821f3b8a955ba67f76afb6c5 Mon Sep 17 00:00:00 2001 From: Kevin Morris Date: Mon, 15 Aug 2022 14:49:34 -0700 Subject: [PATCH] fix: secure access to comment edits to user who owns the comment Found along with the previous commit to be a security hole in our implementation. This commit resolves an issue regarding comment editing. Signed-off-by: Kevin Morris --- aurweb/routers/pkgbase.py | 2 ++ test/test_pkgbase_routes.py | 16 ++++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/aurweb/routers/pkgbase.py b/aurweb/routers/pkgbase.py index 1bca5ea3..c735f474 100644 --- a/aurweb/routers/pkgbase.py +++ b/aurweb/routers/pkgbase.py @@ -286,6 +286,8 @@ async def pkgbase_comment_post( if not comment: raise HTTPException(status_code=HTTPStatus.BAD_REQUEST) + elif request.user.ID != db_comment.UsersID: + raise HTTPException(status_code=HTTPStatus.UNAUTHORIZED) # If the provided comment is different than the record's version, # update the db record. diff --git a/test/test_pkgbase_routes.py b/test/test_pkgbase_routes.py index 5c44ea47..f6bcf5d7 100644 --- a/test/test_pkgbase_routes.py +++ b/test/test_pkgbase_routes.py @@ -467,6 +467,22 @@ def test_pkgbase_comments(client: TestClient, maintainer: User, user: User, assert "form" in data +def test_pkgbase_comment_edit_unauthorized(client: TestClient, + user: User, + maintainer: User, + package: Package, + comment: PackageComment): + pkgbase = package.PackageBase + + cookies = {"AURSID": maintainer.login(Request(), "testPassword")} + with client as request: + endp = f"/pkgbase/{pkgbase.Name}/comments/{comment.ID}" + response = request.post(endp, data={ + "comment": "abcd im trying to change this comment." + }, cookies=cookies) + assert response.status_code == HTTPStatus.UNAUTHORIZED + + def test_pkgbase_comment_delete(client: TestClient, maintainer: User, user: User,