only allow triggering rebuilds for crate maintainers

syphar · syphar · commit 0e0771516824 · 2025-05-17T11:40:05.000+02:00
diff --git a/src/controllers/version/docs.rs b/src/controllers/version/docs.rs
@@ -3,7 +3,8 @@
 use super::CrateVersionPath;
 use crate::app::AppState;
 use crate::auth::AuthCheck;
-use crate::util::errors::{AppResult, server_error};
+use crate::controllers::helpers::authorization::Rights;
+use crate::util::errors::{AppResult, custom, server_error};
 use crate::worker::jobs;
 use axum::response::{IntoResponse as _, Response};
 use crates_io_worker::BackgroundJob as _;
@@ -27,10 +28,20 @@ pub async fn rebuild_version_docs(
     req: Parts,
 ) -> AppResult<Response> {
     let mut conn = app.db_write().await?;
-    AuthCheck::only_cookie().check(&req, &mut conn).await?;
+    let auth = AuthCheck::only_cookie().check(&req, &mut conn).await?;
 
     // validate if version & crate exist
-    path.load_version_and_crate(&mut conn).await?;
+    let (_, krate) = path.load_version_and_crate(&mut conn).await?;
+
+    // Check that the user is an owner of the crate, or a team member (= publish rights)
+    let user = auth.user();
+    let owners = krate.owners(&mut conn).await?;
+    if Rights::get(user, &*app.github, &owners).await? < Rights::Publish {
+        return Err(custom(
+            StatusCode::FORBIDDEN,
+            "user doesn't have permission to trigger a docs rebuild",
+        ));
+    }
 
     jobs::DocsRsQueueRebuild::new(path.name, path.version)
         .enqueue(&mut conn)
@@ -53,6 +64,7 @@ mod tests {
         builders::{CrateBuilder, VersionBuilder},
         util::{RequestHelper as _, TestApp},
     };
+    use crates_io_database::models::NewUser;
     use crates_io_docs_rs::MockDocsRsClient;
 
     #[tokio::test(flavor = "multi_thread")]
@@ -83,6 +95,42 @@ mod tests {
         Ok(())
     }
 
+    #[tokio::test(flavor = "multi_thread")]
+    async fn test_trigger_rebuild_permission_failed() -> anyhow::Result<()> {
+        let mut docs_rs_mock = MockDocsRsClient::new();
+        docs_rs_mock
+            .expect_rebuild_docs()
+            .returning(|_, _| Ok(()))
+            .never();
+
+        let (app, _client, cookie_client) =
+            TestApp::full().with_docs_rs(docs_rs_mock).with_user().await;
+
+        let mut conn = app.db_conn().await;
+
+        let other_user = NewUser::builder()
+            .gh_id(111)
+            .gh_login("other_user")
+            .gh_access_token("token")
+            .build()
+            .insert(&mut conn)
+            .await?;
+
+        CrateBuilder::new("krate", other_user.id)
+            .version(VersionBuilder::new("0.1.0"))
+            .build(&mut conn)
+            .await?;
+
+        let response = cookie_client
+            .post::<()>("/api/v1/crates/krate/0.1.0/rebuild_docs", "")
+            .await;
+        assert_eq!(response.status(), StatusCode::FORBIDDEN);
+
+        app.run_pending_background_jobs().await;
+
+        Ok(())
+    }
+
     #[tokio::test(flavor = "multi_thread")]
     async fn test_trigger_rebuild_unknown_crate_doesnt_queue_job() -> anyhow::Result<()> {
         let mut docs_rs_mock = MockDocsRsClient::new();
