jobs.py: fix components job removal

when a job is associated with components of other teams then the user which belongs to the job's team is able to remove components from the job even if the component does not belongs to its own team. nrt added Change-Id: Idb26539dcd1c7ceb4fba5945d46b45302f1565ed
redhat-cip · Dec 5, 2024 · de53fa7 · de53fa7
1 parent 0b74159
commit de53fa7
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/dci/api/v1/jobs.py b/dci/api/v1/jobs.py
@@ -425,7 +425,7 @@ def remove_component_from_job(user, job_id, cmpt_id):
     j = base.get_resource_orm(models2.Job, job_id)
     component = base.get_resource_orm(models2.Component, cmpt_id)
 
-    if component.team_id and not user.is_in_team(component.team_id):
+    if user.is_not_in_team(j.team_id):
         raise dci_exc.Unauthorized()
 
     try:

diff --git a/tests/api/v1/test_jobs.py b/tests/api/v1/test_jobs.py
@@ -170,6 +170,15 @@ def test_attach_component_from_other_team_to_job(
             cmpt_found = True
     assert cmpt_found
 
+    r = user.delete("/api/v1/jobs/%s/components/%s" % (job_user_id, pc_id))
+    assert r.status_code == 201
+    cmpts = user.get("/api/v1/jobs/%s/components" % job_user_id).data["components"]
+    cmpt_found = False
+    for c in cmpts:
+        if c["id"] == pc_id:
+            cmpt_found = True
+    assert not cmpt_found
+
 
 def test_add_component_with_no_team_to_job(
     user, admin, team_user_id, topic_user_id, job_user_id