rultor
rultor copied to clipboard
yegor256
Non authorized persons can use rultor to merge stuff
https://github.com/coala-analyzer/documentation/pull/78#issuecomment-241818795
tamj0rd2 shall not be able to merge the stuff, he has no write privileges.
This is quite critical as this is imposes a security issue^^
@Makman2 looking into this, I think the issue is rather one with documentation here though.
If you define an (or multiple) architect(s) in the config, then this will be enforced. If you do not define one, the case is poorly handled/documented.
Will be looking into this, in the meantime I suggest defining the permissions in the .rultor.yml.
@Makman2 time is always limited :) => the delays at times in here. But when it's serious issues affecting security or productivity, I'll try addressing them asap .
@alex-palevsky valid bug.
@original-brownbear added "bug" tag to this issue
wait by default rultor allows merging for read only guests? I shouldn't need to configure anything to prevent that from happening should I?
So we still have the issue that any random person with read access can trigger merges, is there any workaround? Do we have to explicitly set the maintainers in the rultor yml?
@original-brownbear so, setting the maintainers manually isn't really feasible. The groups change occasionally and we have like a lot of repositories, we don't want to maintain this list manually. I think the best solution would be to set github teams as "architects"
https://developer.github.com/v3/orgs/teams/#get-team-membership could be used to check if the user giving the merge order is part of a team from the architects list
