[PATCH] Fix issue with delegation of patch via REST API
michael at ellerman.id.au
Wed Sep 25 20:38:37 AEST 2019
On 24 September 2019 6:51:53 pm AEST, Stephen Finucane <stephen at that.guru> wrote:
>On Mon, 2019-09-23 at 15:23 -0500, Bjorn Helgaas wrote:
>> [+cc Jeremy, Michael]
>> On Sat, Sep 21, 2019 at 07:30:46PM +0100, Stephen Finucane wrote:
>> > There have been reports of people being unable to delegate patches
>> > themselves, despite being a maintainer or the project to which the
>> > is associated.
>> > The issue is a result of how we do a check for whether the user is
>> > maintainer of the patch's project . This check is checking if a
>> > 'User.id' is in the list of items referenced by
>> > 'Project.maintainer_project'. However, 'Project.maintainer_project'
>> > backref to 'UserProfile.maintainer_projects'. This means we're
>> > 'User.id' and 'UserProfile.id'. Boo.
>> > This wasn't seen in testing since we've had a post-save callback
> for some
>> > time that ensures we always create a 'UserProfile' object whenever
>we create a
>> > 'User' object. This also means we won't have an issue on
>> > deployed after that post-save callback was added, a 'User' with
>> > always have a corresponding 'UserProfile' with id=N. However,
>that's not true
>> > for older deployments such as the ozlabs.org one.
>> Thanks a lot for fixing this so fast.
>> I don't know who runs patchwork.ozlabs.org, maybe Jeremy or Michael
>> has a pointer? And I don't know if/when your fix might show up in
>> that instance. It sounds like maybe there's a possibility of a
>> server-side workaround in the meantime, i.e., creating a UserProfile
>> matching my User?
>That won't work because you'd have to modify UserProfile.id to match
>the corresponding User.id for every entry.
I don't follow that.
Bjorn's User id is 6763, if we create a profile with that id (it's free on ozlabs.org, I checked) wouldn't that allow him to delegate to himself?
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
More information about the Patchwork