From 9f3b47c963504a3700ecffc0085c8d858b205689 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Thu, 3 Oct 2013 13:06:16 +0200
Subject: [PATCH] Allow only project owners to delete projects / jobsets

Giant gaping security hole.
---
 src/lib/Hydra/Controller/Jobset.pm  | 1 +
 src/lib/Hydra/Controller/Project.pm | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/src/lib/Hydra/Controller/Jobset.pm b/src/lib/Hydra/Controller/Jobset.pm
index 4d6db815..477cb111 100644
--- a/src/lib/Hydra/Controller/Jobset.pm
+++ b/src/lib/Hydra/Controller/Jobset.pm
@@ -219,6 +219,7 @@ sub submit : Chained('jobsetChain') PathPart Args(0) {
     my ($self, $c) = @_;
 
     requirePost($c);
+    requireProjectOwner($c, $c->stash->{project});
 
     if (($c->request->params->{submit} // "") eq "delete") {
         txn_do($c->model('DB')->schema, sub {
diff --git a/src/lib/Hydra/Controller/Project.pm b/src/lib/Hydra/Controller/Project.pm
index 4952fddb..bf9f4451 100644
--- a/src/lib/Hydra/Controller/Project.pm
+++ b/src/lib/Hydra/Controller/Project.pm
@@ -143,6 +143,8 @@ sub submit : Chained('projectChain') PathPart Args(0) {
     my ($self, $c) = @_;
 
     requirePost($c);
+    requireProjectOwner($c, $c->stash->{project});
+
     if (($c->request->params->{submit} // "") eq "delete") {
         txn_do($c->model('DB')->schema, sub {
             $c->stash->{project}->jobsetevals->delete_all;