Git pull command available without git repo and doesn't respect access rights on sites tab.
Patch fix this

CommentFileSizeAuthor
fix-git-pull-access-bypass-and-available-without-repo.patch914 bytesformatC'vt
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

formatC'vt created an issue. See original summary.

helmo’s picture

helmo CreditAttribution: helmo at Initfour websolutions commented
Status: Needs review » Needs work

The access callback you try to use here has specific code for platforms user_access('create platform git-pull task'), which are not properly checked.

I think we need to do a more thorough review of the checks, also relating to #2555129: Split site and platform Git features

formatC'vt’s picture

formatC'vt CreditAttribution: formatC'vt as a volunteer commented

Oh my bad.
Also i found that git_allow_pull_task ($node->git['git_allow_pull_task']) are not used anywhere and always not set.
For me it's look like here should be pull_method instead of git_allow_pull_task. Am I right?

  • helmo committed cd78594 on 7.x-3.x 
    Issue #2552077 by formatC'vt,helmo: Git pull available without git repo
helmo’s picture

helmo CreditAttribution: helmo at Initfour websolutions commented
Title: Git pull available without git repo and for any user » Git pull available without git repo
Status: Needs work » Fixed

The git_allow_pull_task has been cleaned up late last year ...
The access hook had already been added, so updating the title.

I've now added your check on repo_url for both site and platform access hooks.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.