fix(routers.packages): restrict /pkgbase/{name}/voters to those with creds

Signed-off-by: Kevin Morris <kevr@0cost.org>
2025-02-03 10:43:03 +01:00 · 2021-12-19 14:48:40 -08:00 · 2021-12-19 14:48:40 -08:00 · 22093c5c38
commit 22093c5c38
parent 0c07c14860
3 changed files with 30 additions and 8 deletions
--- a/aurweb/routers/packages.py
+++ b/aurweb/routers/packages.py
@ -254,6 +254,11 @@ async def package_base(request: Request, name: str) -> Response:
 async def package_base_voters(request: Request, name: str) -> Response:
    # Get the PackageBase.
    pkgbase = get_pkg_or_base(name, models.PackageBase)
+
+    if not request.user.has_credential(creds.PKGBASE_LIST_VOTERS):
+        return RedirectResponse(f"/pkgbase/{name}",
+                                status_code=HTTPStatus.SEE_OTHER)
+
    context = make_context(request, "Voters")
    context["pkgbase"] = pkgbase
    return render_template(request, "pkgbase/voters.html", context)
--- a/templates/partials/packages/details.html
+++ b/templates/partials/packages/details.html
@ -131,14 +131,14 @@
    </tr>
    <tr>
        <th>{{ "Votes" | tr }}:</th>
-        {% if not is_maintainer %}
-            <td>{{ pkgbase.NumVotes }}</td>
-        {% else %}
+        {% if request.user.has_credential(creds.PKGBASE_LIST_VOTERS) %}
            <td>
                <a href="/pkgbase/{{ pkgbase.Name }}/voters">
                    {{ pkgbase.NumVotes }}
                </a>
            </td>
+        {% else %}
+            <td>{{ pkgbase.NumVotes }}</td>
        {% endif %}
    </tr>
    <tr>
--- a/test/test_packages_routes.py
+++ b/test/test_packages_routes.py
@ -1078,22 +1078,39 @@ def test_packages_per_page(client: TestClient, maintainer: User):
    assert len(rows) == 250


-def test_pkgbase_voters(client: TestClient, maintainer: User, package: Package):
+def test_pkgbase_voters(client: TestClient, tu_user: User, package: Package):
    pkgbase = package.PackageBase
    endpoint = f"/pkgbase/{pkgbase.Name}/voters"

    now = int(datetime.utcnow().timestamp())
    with db.begin():
-        db.create(PackageVote, User=maintainer, PackageBase=pkgbase,
-                  VoteTS=now)
+        db.create(PackageVote, User=tu_user, PackageBase=pkgbase, VoteTS=now)

+    cookies = {"AURSID": tu_user.login(Request(), "testPassword")}
    with client as request:
-        resp = request.get(endpoint)
+        resp = request.get(endpoint, cookies=cookies, allow_redirects=False)
    assert resp.status_code == int(HTTPStatus.OK)

+    # We should've gotten one link to the voter, tu_user.
    root = parse_root(resp.text)
-    rows = root.xpath('//div[@class="box"]//ul/li')
+    rows = root.xpath('//div[@class="box"]//ul/li/a')
    assert len(rows) == 1
+    assert rows[0].text.strip() == tu_user.Username
+
+
+def test_pkgbase_voters_unauthorized(client: TestClient, user: User,
+                                     package: Package):
+    pkgbase = package.PackageBase
+    endpoint = f"/pkgbase/{pkgbase.Name}/voters"
+
+    now = int(datetime.utcnow().timestamp())
+    with db.begin():
+        db.create(PackageVote, User=user, PackageBase=pkgbase, VoteTS=now)
+
+    with client as request:
+        resp = request.get(endpoint, allow_redirects=False)
+    assert resp.status_code == int(HTTPStatus.SEE_OTHER)
+    assert resp.headers.get("location") == f"/pkgbase/{pkgbase.Name}"


 def test_pkgbase_comment_not_found(client: TestClient, maintainer: User,