besaid.zone / core
forked from tangled.org/core
Monorepo for Tangled
fork atom

knotserver/xrpc: fix incorrect permission check in repo.deleteBranch

the DID being used should be the repo-owner's DID and not the actor's
DID.

Signed-off-by: oppiliappan <me@oppi.li>

oppi.li 62a3b473 8d43875a

verified
options
unified split
Changed files
+2 -2
knotserver
xrpc
delete_branch.go
+2 -2
knotserver/xrpc/delete_branch.go
··· 57 57 } 58 58 59 59 repo := resp.Value.Val.(*tangled.Repo) 60 - didPath, err := securejoin.SecureJoin(actorDid.String(), repo.Name) 60 + didPath, err := securejoin.SecureJoin(ident.DID.String(), repo.Name) 61 61 if err != nil { 62 62 fail(xrpcerr.GenericError(err)) 63 63 return 64 64 } 65 65 66 66 if ok, err := x.Enforcer.IsPushAllowed(actorDid.String(), rbac.ThisServer, didPath); !ok || err != nil { 67 - l.Error("insufficent permissions", "did", actorDid.String()) 67 + l.Error("insufficent permissions", "did", actorDid.String(), "repo", didPath) 68 68 writeError(w, xrpcerr.AccessControlError(actorDid.String()), http.StatusUnauthorized) 69 69 return 70 70 }