This is an automated email from the ASF dual-hosted git repository. wave pushed a commit to branch check-access-get in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit ec956eb08db3648a78edc2deaa6dfbd78cc68440 Author: Dave Fisher <[email protected]> AuthorDate: Sun Mar 1 12:23:54 2026 -0800 Add check access controls for committers --- atr/web.py | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/atr/web.py b/atr/web.py index e7a999f5..e75e8489 100644 --- a/atr/web.py +++ b/atr/web.py @@ -108,6 +108,27 @@ class Committer: return raise base.ASFQuartException("You do not have access to this committee", errorcode=403) + async def check_access_committee_get(self, committee_name: str) -> bool: + if committee_name not in self.committees: + if self.is_admin: + # Admins can view all committees + # But we must warn them when the committee is not one of their own + # TODO: As above, this code is difficult to test locally + return True + return False + return True + + async def check_access_get(self, project_name: str) -> bool: + if not any((p.name == str(project_name)) for p in (await self.user_projects)): + if self.is_admin: + # Committers can view all projects. Admins can edit. + # But we must warn them when the project is not one of their own + # TODO: This code is difficult to test locally + # TODO: This flash sometimes displays after deleting a project, which is a bug + return True + return False + return True + async def form_data(self) -> dict[str, Any]: if self.__form_data is None: self.__form_data = await form.quart_request() --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
