Maj terminée. Pour consulter la release notes associée voici le lien :
https://about.gitlab.com/releases/2021/07/07/critical-security-release-gitlab-14-0-4-released/

Commit 65e6eb1d authored by sebastien letort's avatar sebastien letort
Browse files

In JobAuthMixin, we can safely provided a wrong job id.

parent af9b6351
...@@ -97,7 +97,11 @@ class JobAuthMixin(AllgoValidAccountMixin, UserPassesTestMixin): ...@@ -97,7 +97,11 @@ class JobAuthMixin(AllgoValidAccountMixin, UserPassesTestMixin):
if user is None: if user is None:
return False return False
self.raise_exception = True # to return a 403 self.raise_exception = True # to return a 403
job = Job.objects.filter(pk=self.kwargs['pk']).first() try:
job = Job.objects.get(id=self.kwargs['pk'])
except Job.DoesNotExist:
return False
return user.is_superuser or user == getattr(job, "user", ()) return user.is_superuser or user == getattr(job, "user", ())
def handle_no_permission(self): def handle_no_permission(self):
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment