forked from lix-project/hydra
Allow only project owners to delete projects / jobsets
Giant gaping security hole.
This commit is contained in:
parent
7a5ec00ea1
commit
9f3b47c963
|
@ -219,6 +219,7 @@ sub submit : Chained('jobsetChain') PathPart Args(0) {
|
||||||
my ($self, $c) = @_;
|
my ($self, $c) = @_;
|
||||||
|
|
||||||
requirePost($c);
|
requirePost($c);
|
||||||
|
requireProjectOwner($c, $c->stash->{project});
|
||||||
|
|
||||||
if (($c->request->params->{submit} // "") eq "delete") {
|
if (($c->request->params->{submit} // "") eq "delete") {
|
||||||
txn_do($c->model('DB')->schema, sub {
|
txn_do($c->model('DB')->schema, sub {
|
||||||
|
|
|
@ -143,6 +143,8 @@ sub submit : Chained('projectChain') PathPart Args(0) {
|
||||||
my ($self, $c) = @_;
|
my ($self, $c) = @_;
|
||||||
|
|
||||||
requirePost($c);
|
requirePost($c);
|
||||||
|
requireProjectOwner($c, $c->stash->{project});
|
||||||
|
|
||||||
if (($c->request->params->{submit} // "") eq "delete") {
|
if (($c->request->params->{submit} // "") eq "delete") {
|
||||||
txn_do($c->model('DB')->schema, sub {
|
txn_do($c->model('DB')->schema, sub {
|
||||||
$c->stash->{project}->jobsetevals->delete_all;
|
$c->stash->{project}->jobsetevals->delete_all;
|
||||||
|
|
Loading…
Reference in a new issue