This is an automated email from the ASF dual-hosted git repository. arm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit 7bd8eafc924d571a8cb3d4f10f06679f6b7a2dbe Author: Alastair McFarlane <[email protected]> AuthorDate: Tue Mar 3 09:17:35 2026 +0000 #656 - add check_access to remaining handlers --- atr/get/distribution.py | 12 ++++++++---- atr/get/finish.py | 1 + atr/get/ignores.py | 3 ++- atr/post/distribution.py | 2 ++ atr/post/ignores.py | 1 + atr/post/keys.py | 1 + 6 files changed, 15 insertions(+), 5 deletions(-) diff --git a/atr/get/distribution.py b/atr/get/distribution.py index fe7eb035..e5955e11 100644 --- a/atr/get/distribution.py +++ b/atr/get/distribution.py @@ -37,7 +37,7 @@ from atr.tasks import gha @get.typed async def automate( - _session: web.Committer, + session: web.Committer, _distribution: Literal["distribution/automate"], project_name: safe.ProjectName, version_name: safe.VersionName, @@ -45,6 +45,7 @@ async def automate( """ URL: /distribution/automate/<project_name>/<version> """ + await session.check_access(project_name) return await _automate_form_page(str(project_name), str(version_name), staging=False) @@ -144,7 +145,7 @@ async def list_get( @get.typed async def record( - _session: web.Committer, + session: web.Committer, _distribution: Literal["distribution/record"], project_name: safe.ProjectName, version_name: safe.VersionName, @@ -152,12 +153,13 @@ async def record( """ URL: /distribution/record/<project_name>/<version_name> """ + await session.check_access(project_name) return await _record_form_page(str(project_name), str(version_name), staging=False) @get.typed async def stage_automate( - _session: web.Committer, + session: web.Committer, _distribution: Literal["distribution/stage/automate"], project_name: safe.ProjectName, version_name: safe.VersionName, @@ -165,12 +167,13 @@ async def stage_automate( """ URL: /distribution/stage/automate/<project_name>/<version_name> """ + await session.check_access(project_name) return await _automate_form_page(str(project_name), str(version_name), staging=True) @get.typed async def stage_record( - _session: web.Committer, + session: web.Committer, _distribution: Literal["distribution/stage/record"], project_name: safe.ProjectName, version_name: safe.VersionName, @@ -178,6 +181,7 @@ async def stage_record( """ URL: /distribution/stage/record/<project_name>/<version_name> """ + await session.check_access(project_name) return await _record_form_page(str(project_name), str(version_name), staging=True) diff --git a/atr/get/finish.py b/atr/get/finish.py index 7a975900..f8b558a6 100644 --- a/atr/get/finish.py +++ b/atr/get/finish.py @@ -69,6 +69,7 @@ async def selected( URL: /finish/<project_name>/<version_name> Finish a release preview. """ + await session.check_access(project_name) try: (release, source_files_rel, target_dirs, deletable_dirs, rc_analysis, tasks) = await _get_page_data( str(project_name), str(version_name) diff --git a/atr/get/ignores.py b/atr/get/ignores.py index fec0c60b..bb24979e 100644 --- a/atr/get/ignores.py +++ b/atr/get/ignores.py @@ -32,13 +32,14 @@ import atr.web as web @get.typed async def ignores( - _session: web.Committer, + session: web.Committer, _ignores: Literal["ignores"], project_name: safe.ProjectName, ) -> str | web.WerkzeugResponse: """ URL: /ignores/<project_name> """ + await session.check_access(project_name) async with storage.read() as read: ragp = read.as_general_public() ignores = await ragp.checks.ignores(str(project_name)) diff --git a/atr/post/distribution.py b/atr/post/distribution.py index e31f77dc..3e4f0b5a 100644 --- a/atr/post/distribution.py +++ b/atr/post/distribution.py @@ -119,6 +119,7 @@ async def automate_selected( """ URL: /distribution/automate/<project_name>/<version_name> """ + await session.check_access(project_name) return await automate_form_process_page( session, distribute_form, str(project_name), str(version_name), staging=False ) @@ -135,6 +136,7 @@ async def delete( """ URL: /distribution/delete/<project_name>/<version_name> """ + await session.check_access(project_name) sql_platform = delete_form.platform.to_sql() # type: ignore[attr-defined] # Validate the submitted data, and obtain the committee for its name diff --git a/atr/post/ignores.py b/atr/post/ignores.py index 853942cb..30c2a2f8 100644 --- a/atr/post/ignores.py +++ b/atr/post/ignores.py @@ -37,6 +37,7 @@ async def ignores( URL: /ignores/<project_name> Handle forms on the ignores page. """ + await session.check_access(project_name) match ignore_form: case shared.ignores.AddIgnoreForm() as add_form: return await _add_ignore(session, add_form, str(project_name)) diff --git a/atr/post/keys.py b/atr/post/keys.py index bc637bf9..6a3939c4 100644 --- a/atr/post/keys.py +++ b/atr/post/keys.py @@ -149,6 +149,7 @@ async def import_selected_revision( """ URL: /keys/import/<project_name>/<version_name> """ + await session.check_access(project_name) async with storage.write() as write: wacm = await write.as_project_committee_member(str(project_name)) outcomes: outcome.List[types.Key] = await wacm.keys.import_keys_file(str(project_name), str(version_name)) --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
