From 0edc0bce3a30f2ae78684099d0bc44582474d27e Mon Sep 17 00:00:00 2001 From: Xavier-Do Date: Fri, 24 Mar 2023 11:00:23 +0100 Subject: [PATCH] [FIX] limit /force route to advanced users The force buttons were hidden because unfortunately miss used as a rebuild in some case instead. The position of the button was to obvious and used as a "magic fix" when the intended behavior was only for really specific cases. Unfortunately the routes were know and still used manually. This commit blocs the access giving a message to ask for the group if needed. Those feature would benefit for some documentation. --- runbot/controllers/frontend.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/runbot/controllers/frontend.py b/runbot/controllers/frontend.py index ebb8a4f9..b35a407b 100644 --- a/runbot/controllers/frontend.py +++ b/runbot/controllers/frontend.py @@ -210,6 +210,8 @@ class Runbot(Controller): '/runbot/bundle//force/', ], type='http', auth="user", methods=['GET', 'POST'], csrf=False) def force_bundle(self, bundle, auto_rebase=False, **_post): + if not self.env.user.has_group('runbot.group_runbot_advanced_user'): + raise Forbidden("Only users with a specific group can do that. Please contact runbot administrators") _logger.info('user %s forcing bundle %s', request.env.user.name, bundle.name) # user must be able to read bundle batch = bundle.sudo()._force() batch._log('Batch forced by %s', request.env.user.name)