forked from lix-project/hydra
Allow only project owners to delete projects / jobsets
Giant gaping security hole.
This commit is contained in:
parent
7a5ec00ea1
commit
9f3b47c963
2 changed files with 3 additions and 0 deletions
|
@ -219,6 +219,7 @@ sub submit : Chained('jobsetChain') PathPart Args(0) {
|
|||
my ($self, $c) = @_;
|
||||
|
||||
requirePost($c);
|
||||
requireProjectOwner($c, $c->stash->{project});
|
||||
|
||||
if (($c->request->params->{submit} // "") eq "delete") {
|
||||
txn_do($c->model('DB')->schema, sub {
|
||||
|
|
|
@ -143,6 +143,8 @@ sub submit : Chained('projectChain') PathPart Args(0) {
|
|||
my ($self, $c) = @_;
|
||||
|
||||
requirePost($c);
|
||||
requireProjectOwner($c, $c->stash->{project});
|
||||
|
||||
if (($c->request->params->{submit} // "") eq "delete") {
|
||||
txn_do($c->model('DB')->schema, sub {
|
||||
$c->stash->{project}->jobsetevals->delete_all;
|
||||
|
|
Loading…
Reference in a new issue