• Nick Thomas's avatar
    Change the mirror user along with pull mirror settings · c902b404
    Nick Thomas authored
    Pull mirroring stores a "mirror_user", which is used to attribute
    changes performed by the mirroring option and, in some cases, for
    checking permissions. In general, the mirror user should be the user
    who set up the pull mirror. However, **changes** to mirror attributes
    do not reset the mirror_user at present.
    
    This property allows a mirror to be changed by one project maintainer,
    and for the changes to be wrongly attributed to another maintainer. In
    the worst case, this could lead to permissions bypasses or credential
    theft.
    
    To mitigate this, we remove the ability to specify who the mirror user
    will be, and ensure it is always set to the ID of the user who modifies
    the pull mirroring settings. The only exception is if you're an admin
    user making changes via the API - in this circumstance, we allow the
    mirror_user_id to be set arbitrarily. This preserves an API endpoint
    that may be widely used.
    c902b404
projects_controller_spec.rb 18 KB