From a3e66850d25adf02508612b83820a9c95648acdf Mon Sep 17 00:00:00 2001
From: Abdun Nihaal <abdun.nihaal@gmail.com>
Date: Wed, 16 Apr 2025 22:02:36 +0530
Subject: [PATCH] Prevent any user from updating public bundles

Currently, the web UI allows any logged in user to remove patches from
public bundles. However the correct behaviour is that only the owner of
the bundle should be allowed to update a bundle.

Fix that by adding checks in set_bundle() before adding or removing
patches from bundles.

Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
Closes: #599
---
 patchwork/views/__init__.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/patchwork/views/__init__.py b/patchwork/views/__init__.py
index db484c79..92adbbcc 100644
--- a/patchwork/views/__init__.py
+++ b/patchwork/views/__init__.py
@@ -135,9 +135,13 @@ def set_bundle(request, project, action, data, patches):
         if not data['bundle_id']:
             return ['No bundle was selected']
         bundle = get_object_or_404(Bundle, id=data['bundle_id'])
+        if request.user != bundle.owner:
+            return ["You don't have permissions to add patches to bundle"]
         add_bundle_patches(request, patches, bundle)
     elif action == 'remove':
         bundle = get_object_or_404(Bundle, id=data['removed_bundle_id'])
+        if request.user != bundle.owner:
+            return ["You don't have permissions to remove patches from bundle"]
         for patch in patches:
             try:
                 bp = BundlePatch.objects.get(bundle=bundle, patch=patch)