[PATCH] Fix issue with delegation of patch via REST API
Stephen Finucane
stephen at that.guru
Tue Sep 24 18:45:16 AEST 2019
On Mon, 2019-09-23 at 15:39 -0500, Bjorn Helgaas wrote:
> On Sat, Sep 21, 2019 at 07:30:46PM +0100, Stephen Finucane wrote:
> > There have been reports of people being unable to delegate patches to
> > themselves, despite being a maintainer or the project to which the patch
> > is associated.
> >
> > The issue is a result of how we do a check for whether the user is a
> > maintainer of the patch's project [1]. This check is checking if a given
> > 'User.id' is in the list of items referenced by
> > 'Project.maintainer_project'. However, 'Project.maintainer_project' is a
> > backref to 'UserProfile.maintainer_projects'. This means we're comparing
> > 'User.id' and 'UserProfile.id'. Boo.
> >
> > This wasn't seen in testing since we've had a post-save callback [2] for some
> > time that ensures we always create a 'UserProfile' object whenever we create a
> > 'User' object. This also means we won't have an issue on deployments initially
> > deployed after that post-save callback was added, a 'User' with id=N will
> > always have a corresponding 'UserProfile' with id=N. However, that's not true
> > for older deployments such as the ozlabs.org one.
>
> I tried the instance at https://patchwork.kernel.org/project/linux-pci/list/
> to see if it was new enough to work without this fix. But it also
> fails, slightly differently:
>
> $ git config -l | grep "^pw"
> pw.server=https://patchwork.kernel.org/api/1.1
> pw.project=linux-pci
> pw.token=...
>
> $ git-pw patch update --delegate helgaas 11151519
> More than one delegate found: helgaas
>
> Is this another manifestation of the same bug or something else?
This is a different issue and, unlike the other one, is more feature
than bug. This is happening because the search for a particular user is
returning multiple matches. We match on username, first name, last name
and email, so I imagine you have multiple user accounts on the instance
and there might be a conflict between an email address of one account
and a username of another? (Let me know if this isn't the case). The
easy solution is to use a more specific match. I'd suggest just using
the email address associated with your user account ([1] suggests this
is 'bhelgaas at google.com'). We could also support lookup by user ID
(which would guarantee a single match) but I haven't added that to git-
pw yet since it didn't seem that usable.
Stephen
[1] https://patchwork.kernel.org/project/linux-pci/
> > [1] https://github.com/getpatchwork/patchwork/blob/89c924f9bc/patchwork/api/patch.py#L108-L111
> > [2] https://github.com/getpatchwork/patchwork/blob/89c924f9bc/patchwork/models.py#L204-L210
> >
> > Signed-off-by: Stephen Finucane <stephen at that.guru>
> > Closes: #313
> > Reported-by: Bjorn Helgaas <helgaas at kernel.org>
> > ---
> > patchwork/api/patch.py | 4 ++--
> > patchwork/tests/api/test_patch.py | 24 ++++++++++++++++++++++++
> > 2 files changed, 26 insertions(+), 2 deletions(-)
> >
> > diff --git a/patchwork/api/patch.py b/patchwork/api/patch.py
> > index c9360308..d1c9904d 100644
> > --- a/patchwork/api/patch.py
> > +++ b/patchwork/api/patch.py
> > @@ -105,8 +105,8 @@ class PatchListSerializer(BaseHyperlinkedModelSerializer):
> > if not value:
> > return value
> >
> > - if not self.instance.project.maintainer_project.filter(
> > - id=value.id).exists():
> > + if not value.profile.maintainer_projects.only('id').filter(
> > + id=self.instance.project.id).exists():
> > raise ValidationError("User '%s' is not a maintainer for project "
> > "'%s'" % (value, self.instance.project))
> > return value
> > diff --git a/patchwork/tests/api/test_patch.py b/patchwork/tests/api/test_patch.py
> > index 82ae0184..edae9851 100644
> > --- a/patchwork/tests/api/test_patch.py
> > +++ b/patchwork/tests/api/test_patch.py
> > @@ -284,6 +284,30 @@ class TestPatchAPI(utils.APITestCase):
> > self.assertContains(resp, 'Expected one of: %s.' % state.name,
> > status_code=status.HTTP_400_BAD_REQUEST)
> >
> > + def test_update_legacy_delegate(self):
> > + """Regression test for bug #313."""
> > + project = create_project()
> > + state = create_state()
> > + patch = create_patch(project=project, state=state)
> > + user_a = create_maintainer(project)
> > +
> > + # create a user (User), then delete the associated UserProfile and save
> > + # the user to ensure a new profile is generated
> > + user_b = create_user()
> > + self.assertEqual(user_b.id, user_b.profile.id)
> > + user_b.profile.delete()
> > + user_b.save()
> > + user_b.profile.maintainer_projects.add(project)
> > + user_b.profile.save()
> > + self.assertNotEqual(user_b.id, user_b.profile.id)
> > +
> > + self.client.force_authenticate(user=user_a)
> > + resp = self.client.patch(self.api_url(patch.id),
> > + {'delegate': user_b.id})
> > + self.assertEqual(status.HTTP_200_OK, resp.status_code, resp)
> > + self.assertEqual(Patch.objects.get(id=patch.id).state, state)
> > + self.assertEqual(Patch.objects.get(id=patch.id).delegate, user_b)
> > +
> > def test_update_invalid_delegate(self):
> > """Update patch with invalid fields.
> >
> > --
> > 2.21.0
> >
More information about the Patchwork
mailing list