Fix bug where users may vote for their own merge (#3565)

invisig0th · web-flow · commit 85697612a618 · 2024-02-15T11:54:06.000-05:00
diff --git a/synapse/lib/stormtypes.py b/synapse/lib/stormtypes.py
@@ -7718,6 +7718,8 @@ async def setMergeVote(self, approved=True, comment=None):
             mesg = 'You are not a member of a role with voting privileges for this merge request.'
             raise s_exc.AuthDeny(mesg=mesg)
 
+        view.reqValidVoter(self.runt.user.iden)
+
         vote = {'user': self.runt.user.iden, 'approved': await tobool(approved)}
 
         if comment is not None:
diff --git a/synapse/lib/view.py b/synapse/lib/view.py
@@ -268,15 +268,28 @@ async def setMergeVote(self, vote):
         vote['offset'] = await self.layers[0].getEditIndx()
         return await self._push('merge:vote:set', vote)
 
+    def reqValidVoter(self, useriden):
+
+        merge = self.getMergeRequest()
+        if merge is None:
+            raise s_exc.BadState(mesg=f'View ({self.iden}) does not have a merge request.')
+
+        if merge.get('creator') == useriden:
+            raise s_exc.AuthDeny(mesg='A user may not vote for their own merge request.')
+
     @s_nexus.Pusher.onPush('merge:vote:set')
     async def _setMergeVote(self, vote):
 
         self.reqParentQuorum()
         s_schemas.reqValidVote(vote)
 
-        uidn = s_common.uhex(vote.get('user'))
+        useriden = vote.get('user')
+
+        self.reqValidVoter(useriden)
+
+        bidn = s_common.uhex(useriden)
 
-        self.core.slab.put(self.bidn + b'merge:vote' + uidn, s_msgpack.en(vote), db='view:meta')
+        self.core.slab.put(self.bidn + b'merge:vote' + bidn, s_msgpack.en(vote), db='view:meta')
 
         await self.core.feedBeholder('view:merge:vote:set', {'view': self.iden, 'vote': vote})
 
diff --git a/synapse/tests/test_lib_stormtypes.py b/synapse/tests/test_lib_stormtypes.py
@@ -6416,6 +6416,9 @@ async def test_view_quorum(self):
             with self.raises(s_exc.SynErr):
                 await core.callStorm('$lib.view.get().merge()', opts={'view': fork00})
 
+            with self.raises(s_exc.BadState):
+                core.getView(fork00).reqValidVoter(visi.iden)
+
             with self.raises(s_exc.AuthDeny):
                 await core.callStorm('$lib.view.get().setMergeRequest()', opts={'user': visi.iden, 'view': fork00})
 
@@ -6425,12 +6428,18 @@ async def test_view_quorum(self):
             self.eq(merge['comment'], 'woot')
             self.eq(merge['creator'], core.auth.rootuser.iden)
 
+            with self.raises(s_exc.AuthDeny):
+                core.getView(fork00).reqValidVoter(root.iden)
+
             merge = await core.callStorm('return($lib.view.get().getMergeRequest())', opts={'view': fork00})
             self.nn(merge['iden'])
             self.nn(merge['created'])
             self.eq(merge['comment'], 'woot')
             self.eq(merge['creator'], core.auth.rootuser.iden)
 
+            with self.raises(s_exc.AuthDeny):
+                await core.callStorm('$lib.view.get().setMergeVote()', opts={'view': fork00})
+
             with self.raises(s_exc.AuthDeny):
                 await core.callStorm('$lib.view.get().setMergeVote()', opts={'user': visi.iden, 'view': fork00})
 
