This is an automated email from the ASF dual-hosted git repository. rubys pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/whimsy.git
commit 35acffb952257c53282c929516f150ccea206511 Author: Sam Ruby <[email protected]> AuthorDate: Sat Aug 3 11:38:03 2019 -0400 allow PMC members to post their own report (even if they are not officers or ASF members) --- www/board/agenda/config.ru | 10 ++++++--- www/board/agenda/models/agenda.rb | 6 ++--- www/board/agenda/views/actions/post.json.rb | 34 +++++++++++++++++++++++++---- 3 files changed, 40 insertions(+), 10 deletions(-) diff --git a/www/board/agenda/config.ru b/www/board/agenda/config.ru index 4743e2c..4d15826 100644 --- a/www/board/agenda/config.ru +++ b/www/board/agenda/config.ru @@ -15,10 +15,14 @@ use ASF::Auth::MembersAndOfficers do |env| next true end - # allow access to historical-comments for reporter tool. - # note: this list is filtered by routes.rb to only include the list of - # PMCs that the user is a member of for non-ASF-members and non-officers. + # allow access to historical-comments and post for reporter tool. + # notes: + # - historical-comments is filtered by routes.rb to only include the list of + # PMCs that the user is a member of for non-ASF-members and non-officers. + # - post is limited to ASF members, officers, and members of the PMC whose + # report is being posted. next true if env['PATH_INFO'] == '/json/historical-comments' + next true if env['PATH_INFO'] == '/json/post' # additionally authorize all invited guests agenda = dir('board_agenda_*.txt').sort.last diff --git a/www/board/agenda/models/agenda.rb b/www/board/agenda/models/agenda.rb index 20d9309..c3ee4d1 100755 --- a/www/board/agenda/models/agenda.rb +++ b/www/board/agenda/models/agenda.rb @@ -129,7 +129,7 @@ class Agenda end # update agenda file in SVN - def self.update(file, message, retries=20, &block) + def self.update(file, message, retries=20, auth: nil, &block) return unless block commit_rc = 0 @@ -139,9 +139,9 @@ class Agenda #extract context from block _, env = eval('[_, env]', block.binding) - auth = [[]] + auth ||= [[]] if env.password - auth = [['--username', env.user, '--password', env.password]] + auth ||= [['--username', env.user, '--password', env.password]] end file.untaint if file =~ /\Aboard_\w+_[\d_]+\.txt\z/ diff --git a/www/board/agenda/views/actions/post.json.rb b/www/board/agenda/views/actions/post.json.rb index f6cd18a..467e4e1 100644 --- a/www/board/agenda/views/actions/post.json.rb +++ b/www/board/agenda/views/actions/post.json.rb @@ -1,6 +1,11 @@ # # edit exiting / post new report # +# Note: this code validates that env.user is one of the following: +# 1) an ASF member +# 2) a PMC chair +# 3) a member of the PMC for the report being posted +# # special case for new special orders if @attach == '7?' @@ -9,21 +14,35 @@ elsif @attach == '8?' @message = "Post Discussion Item 8X: #{@title}" end -Agenda.update(@agenda, @message) do |agenda| +attach = nil + +# Determine if user is authorized +user = ASF::Person.find(env.user) +member_or_officer = user.asf_member? or ASF.pmc_chairs.include? user +credentials = member_or_officer ? nil : ['--username', 'whimsysvn'] +Agenda.update(@agenda, @message, auth: credentials) do |agenda| # quick parse of agenda parsed = ASF::Board::Agenda.parse(agenda, true) # map @project to @attach to support posting from reporter.apache.org if not @attach and @project - project = ASF::Committee.find(@project).display_name + project = ASF::Committee.find(@project) + raise "project #{@project.inspect} not found" unless project + unless member_or_officer or project.owners.include? user + raise "not authorized to post to #{@project}" + end + + projectName = project.display_name parsed.each do |report| - if report['title'] == project + if report['title'] == projectName raise "report already posted" unless @digest or report['missing'] - @attach = report[:attach] + attach = @attach = report[:attach] @digest ||= report['digest'] end end + else + raise "not authorized to post to the board agenda" unless member_or_officer end # remove trailing whitespace @@ -147,3 +166,10 @@ Agenda.update(@agenda, @message) do |agenda| # return updated agenda agenda end + +# filter agenda if project is specified or the user is not authorized to see +# the entire document +if @project or not member_or_officer + agenda = _.delete 'agenda' + _item agenda.find {|report| report[:attach] == attach} +end
