[FIX] limit /force route to advanced users

The force buttons were hidden because unfortunately miss used as a rebuild in some case instead. The position of the button was to obvious and used as a "magic fix" when the intended behavior was only for really specific cases. Unfortunately the routes were know and still used manually. This commit blocs the access giving a message to ask for the group if needed. Those feature would benefit for some documentation.
2025-03-15 23:45:44 +07:00 · 2023-03-24 11:00:23 +01:00 · 2023-03-24 11:00:23 +01:00 · 0edc0bce3a
commit 0edc0bce3a
parent 30c74e2434
1 changed files with 2 additions and 0 deletions
--- a/runbot/controllers/frontend.py
+++ b/runbot/controllers/frontend.py
@ -210,6 +210,8 @@ class Runbot(Controller):
        '/runbot/bundle/<model("runbot.bundle"):bundle>/force/<int:auto_rebase>',
    ], type='http', auth="user", methods=['GET', 'POST'], csrf=False)
    def force_bundle(self, bundle, auto_rebase=False, **_post):
+        if not self.env.user.has_group('runbot.group_runbot_advanced_user'):
+            raise Forbidden("Only users with a specific group can do that. Please contact runbot administrators")
        _logger.info('user %s forcing bundle %s', request.env.user.name, bundle.name)  # user must be able to read bundle
        batch = bundle.sudo()._force()
        batch._log('Batch forced by %s', request.env.user.name)