cve: check user_can_edit_issue before attempting to merge a CVE

archlinux / arch-security-tracker

Arch Linux Security Tracker

https://security.archlinux.org

MIT License

125 stars 40 forks source link

cve: check user_can_edit_issue before attempting to merge a CVE #179

Closed diabonas closed 3 years ago

diabonas commented 3 years ago

add_cve requires reporter permissions, but does not perform any further checks when attempting to merge with an existing CVE. This allows reporters a limited amount of control over CVEs for which advisories were already created, which should be denied by using user_can_edit_issue like edit_cve does.

anthraxx commented 3 years ago

applied with signatures via 49de1f4defe00949348aa93b4d5d9831e652b13b 31f6543e428ec8e3a4df1d1700fb19b492304ef6

plus a test case via b22b132e6509e41cb88ef36f2ca6cf95877b6e58