Behavior of create_repo API as a general user
Mads Kiilerich
mads at kiilerich.com
Sat Jan 2 22:49:13 UTC 2021
Hi
You are right. Kallithea has some bugs around API permission handling.
It is not using the "create top-level repositories" permissions correctly.
This problem is related to the
"This will also give all users API access to create repositories
everywhere. That might change in future versions."
note, even though you see the opposite problem.
This behaviour is kind of intentional -
https://kallithea-scm.org/repos/kallithea/changeset/6620542597d3 - and
with some awareness in the test suite -
https://kallithea-scm.org/repos/kallithea-incoming/changeset/975f5769be08
... but doesn't match what hg.create.repositoryactually means:
https://kallithea-scm.org/repos/kallithea/changeset/8aad6a324739#kallitheamodeldbpy_n1676
I propose
https://kallithea-scm.org/repos/kallithea/pull-request/303/_/api_permission_check
to fix this.
/Mads
On 1/2/21 7:20 PM, toras wrote:
> Hi
>
> I have doubts about the behavior of 'create_repo' in Kallithea's API,
> so I will post it.
> The version of kallithea I'm using is 0.6.3.
>
> A 'create_repo' request to a repository group for which the account
> has write permissions also appears to fail if top-level repository
> creation is disabled.
> The same request succeeds when I enable the create top-level
> repository setting.
> Regardless of top-level settings, I can use that account to create
> repositories from the web into repository groups.
>
> I didn't understand if the explanation of 'Note' on the setting screen
> means "Failed even if I have write permission".
>
> For the time being, the situation I tried is described below.
>
> The request was made like this.
> ```
> curl http://localhost:5000/_admin/api -X POST -H
> 'content-type:text/plain' --data-binary
> '{"id":1,"api_key":"0ae8322ce787f08771c6b3570765318fb0360ad6","method":"create_repo","args":{"repo_name":"grp/test",
> "repo_type":"git"}}'
> ```
>
> The response in case of failure is like this.
> ```
> {"id": 1, "result": null, "error": "Internal server error"}
> ```
>
> The console output of kallithea at that time looks like the following.
> ```
> 2021-01-02 17:25:23.087 DEBUG [JSONRPC] Trying to find JSON-RPC
> method: create_repo
> 2021-01-02 17:25:23.087 INFO [JSONRPC] IP: 127.0.0.1 Request to
> /_admin/api time: 0.012s
> 2021-01-02 17:25:23.127 ERROR [JSONRPC] Encountered unhandled
> exception: Traceback (most recent call last):
> File
> "/home/kallithea/.local/lib/python3.6/site-packages/kallithea/controllers/api/__init__.py",
> line 225, in _rpc_call
> raw_response = getattr(self, action)(**rpc_args)
> File "<decorator-gen-73>", line 2, in create_repo
> File
> "/home/kallithea/.local/lib/python3.6/site-packages/kallithea/lib/auth.py",
> line 664, in __wrapper
> raise HTTPForbidden()
> webob.exc.HTTPForbidden: Access was denied to this resource.
> ```
>
> # I rely on translation tools. I'm sorry if there is a strange sentence.
>
>
> Thanks
>
> ----
> toras9000
>
> _______________________________________________
> kallithea-general mailing list
> kallithea-general at sfconservancy.org
> https://lists.sfconservancy.org/mailman/listinfo/kallithea-general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sfconservancy.org/pipermail/kallithea-general/attachments/20210102/a6ef5351/attachment.html>
More information about the kallithea-general
mailing list