Merge pull request #1559 from karlcow/845/1

Mike Taylor · web-flow · commit 76004f1e969c · 2017-05-12T09:36:42.000-05:00
Fixes #845 - restrict comments and constrain the closing of issue
diff --git a/webcompat/api/endpoints.py b/webcompat/api/endpoints.py
@@ -50,8 +50,13 @@ def edit_issue(number):
     edit issues.
     '''
     path = 'repos/{0}/{1}'.format(ISSUES_PATH, number)
-    edit = proxy_request('patch', path, data=request.data)
-    return (edit.content, edit.status_code, {'content-type': JSON_MIME})
+    # we can only change the state of the issue: close or open
+    states_list = ['{"state": "closed"}', '{"state": "open"}']
+    if request.data in states_list:
+        edit = proxy_request('patch', path, data=request.data)
+        return (edit.content, edit.status_code, {'content-type': JSON_MIME})
+    else:
+        abort(403)
 
 
 @api.route('/issues')
@@ -205,7 +210,7 @@ def proxy_comments(number):
     Either as an authed user, or as one of our proxy bots.
     '''
     params = request.args.copy()
-    if request.method == 'POST':
+    if request.method == 'POST' and g.user:
         path = 'repos/{0}/{1}/comments'.format(ISSUES_PATH, number)
         return api_request('post', path, params=params,
                            data=get_comment_data(request.data))
