julien.rbrt.fr / tangled-core
forked from tangled.org/core
Monorepo for Tangled — https://tangled.org
fork atom

knotserver/xrpc: fix incorrect permission check in repo.deleteBranch

the DID being used should be the repo-owner's DID and not the actor's
DID.

Signed-off-by: oppiliappan <me@oppi.li>

oppi.li 62a3b473 8d43875a

verified
options
unified split
Changed files
+2 -2
knotserver
xrpc
delete_branch.go
+2 -2
knotserver/xrpc/delete_branch.go 
···

       
57

       
57

       
 

       
	}


     

       
58

       
58

       
 

       



     

       
59

       
59

       
 

       
	repo := resp.Value.Val.(*tangled.Repo)


     

       
60

       

       
-

       
	didPath, err := securejoin.SecureJoin(actorDid.String(), repo.Name)


     

       

       
60

       
+

       
	didPath, err := securejoin.SecureJoin(ident.DID.String(), repo.Name)


     

       
61

       
61

       
 

       
	if err != nil {


     

       
62

       
62

       
 

       
		fail(xrpcerr.GenericError(err))


     

       
63

       
63

       
 

       
		return


     

       
64

       
64

       
 

       
	}


     

       
65

       
65

       
 

       



     

       
66

       
66

       
 

       
	if ok, err := x.Enforcer.IsPushAllowed(actorDid.String(), rbac.ThisServer, didPath); !ok || err != nil {


     

       
67

       

       
-

       
		l.Error("insufficent permissions", "did", actorDid.String())


     

       

       
67

       
+

       
		l.Error("insufficent permissions", "did", actorDid.String(), "repo", didPath)


     

       
68

       
68

       
 

       
		writeError(w, xrpcerr.AccessControlError(actorDid.String()), http.StatusUnauthorized)


     

       
69

       
69

       
 

       
		return


     

       
70

       
70

       
 

       
	}