From cf1ba53fa539044b81598dc051b6044063a37321 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Fri, 7 Nov 2025 23:12:16 +0100 Subject: [PATCH 1/2] enh(wishlist): restrict who can reject apps --- webhooks/webhook.py | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/webhooks/webhook.py b/webhooks/webhook.py index 469a7901..236ff202 100755 --- a/webhooks/webhook.py +++ b/webhooks/webhook.py @@ -296,6 +296,46 @@ def reject_wishlist(request: Request, pr_infos: dict, reason=None) -> HTTPRespon if repository != "YunoHost/apps" or not branch.startswith("add-to-wishlist"): return response.empty() + can_reject = False + if data["comment"]["author_association"] == "OWNER": + can_reject = True + logging.info( + f"User {user} is an owner of the YunoHost org and can thus reject apps from the wishlist" + ) + + with requests.Session() as s: + s.headers.update({"Authorization": f"token {github_token_membership()}"}) + r = s.get( + f"https://api.github.com/orgs/YunoHost/teams/apps/memberships/{user}" + ) + if r.status_code == 200: + can_reject = True + logging.info( + f"User {user} is in the Apps team and can thus reject apps from the wishlist" + ) + else: + logging.info( + f"Checking for {user} belonging in the Apps team failed with code {r.status_code}" + ) + + with requests.Session() as s: + s.headers.update({"Authorization": f"token {github_token_invitations()}"}) + r = s.get( + f"https://api.github.com/orgs/YunoHost-Apps/teams/regular-contributors/memberships/{user}" + ) + if r.status_code == 200: + can_reject = True + logging.info( + f"User {user} is a Regular Contributor and can thus reject apps from the wishlist" + ) + else: + logging.info( + f"Checking for {user} belonging in the Regular Contributors team failed with code {r.status_code}" + ) + + if not can_reject: + return response.empty() + logging.info( f"Will put the suggested app in the rejected list on {repository} branch {branch}..." ) From e845ade4e4508951c4cacdb117f98c6f183457d2 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Sun, 23 Nov 2025 14:13:23 +0100 Subject: [PATCH 2/2] enh(wishlist): properly log missing from team and add comment reaction --- webhooks/webhook.py | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/webhooks/webhook.py b/webhooks/webhook.py index 236ff202..03019237 100755 --- a/webhooks/webhook.py +++ b/webhooks/webhook.py @@ -311,7 +311,11 @@ def reject_wishlist(request: Request, pr_infos: dict, reason=None) -> HTTPRespon if r.status_code == 200: can_reject = True logging.info( - f"User {user} is in the Apps team and can thus reject apps from the wishlist" + f"User {user} is in the Apps team" + ) + elif r.status_code == 404: + logging.info( + f"User {user} is not the Apps team" ) else: logging.info( @@ -326,7 +330,11 @@ def reject_wishlist(request: Request, pr_infos: dict, reason=None) -> HTTPRespon if r.status_code == 200: can_reject = True logging.info( - f"User {user} is a Regular Contributor and can thus reject apps from the wishlist" + f"User {user} is a Regular Contributor" + ) + elif r.status_code == 404: + logging.info( + f"User {user} is not a Regular Contributor" ) else: logging.info( @@ -334,6 +342,16 @@ def reject_wishlist(request: Request, pr_infos: dict, reason=None) -> HTTPRespon ) if not can_reject: + logging.info( + f"User {user} is not allowed to reject apps from the wishlist" + ) + with requests.Session() as s: + comment_id = data["comment"]["id"] + s.headers.update({"Authorization": f"token {github_token()}"}) + r = s.post( + f"https://api.github.com/repos/{repository}/issues/comments/{comment_id}/reactions", + json='{"content": "-1"}' + ) return response.empty() logging.info(