diff options
| author | Drew DeVault <sir@cmpwn.com> | 2019-07-06 15:43:08 -0400 |
|---|---|---|
| committer | Drew DeVault <sir@cmpwn.com> | 2019-07-06 15:43:08 -0400 |
| commit | becae56162a9474e11a4002b561f23649f1a01d4 (patch) | |
| tree | fe3d1cea97ca3f9f7394569d0bdba40c7e318f5d | |
| parent | 452ebe908c35f7550373c314fc84ed0cf591121b (diff) | |
Lock down annotations to UserAccess.manage
| -rw-r--r-- | gitsrht/blueprints/api.py | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/gitsrht/blueprints/api.py b/gitsrht/blueprints/api.py index fa223ab..0bc8fc9 100644 --- a/gitsrht/blueprints/api.py +++ b/gitsrht/blueprints/api.py @@ -7,6 +7,7 @@ from gitsrht.blueprints.repo import lookup_ref, get_log, collect_refs from gitsrht.git import Repository as GitRepository, commit_time, annotate_tree from gitsrht.webhooks import RepoWebhook from io import BytesIO +from scmsrht.access import UserAccess from scmsrht.blueprints.api import get_user, get_repo from scmsrht.redis import redis from srht.api import paginated_response @@ -139,10 +140,10 @@ def repo_tree_GET(username, reponame, ref, path): @data.route("/api/repos/<reponame>/annotate", methods=["PUT"]) @data.route("/api/<username>/repos/<reponame>/annotate", methods=["PUT"]) -@oauth("data:read") +@oauth("repo:write") def repo_annotate_PUT(username, reponame): user = get_user(username) - repo = get_repo(user, reponame) + repo = get_repo(user, reponame, needs=UserAccess.manage) valid = Validation(request) |