[aur-dev][PATCH] Fix notifications emails going to the right people

Eli Schwartz eschwartz at archlinux.org
Fri Aug 10 21:26:28 UTC 2018 

The notify script expects to see the userid followed by additional
arguments like the pkgbase id, however, these were getting sent swapped
around (presumably due to the similarity with the db connection which
expects them in the other order when processing SQL statements).

As a result, some random userid with the same id as the pkgbase, got sent a
notification regarding some package with the same id as the real user's id.

Signed-off-by: Eli Schwartz <eschwartz at archlinux.org>
---
 aurweb/git/serve.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/aurweb/git/serve.py b/aurweb/git/serve.py
index 93ff34c..2882780 100755
--- a/aurweb/git/serve.py
+++ b/aurweb/git/serve.py
@@ -107,7 +107,7 @@ def pkgbase_adopt(pkgbase, user, privileged):
                            [pkgbase_id, userid])
     conn.commit()
 
-    subprocess.Popen((notify_cmd, 'adopt', str(pkgbase_id), str(userid)))
+    subprocess.Popen((notify_cmd, 'adopt', str(userid), str(pkgbase_id)))
 
     conn.close()
 
@@ -165,8 +165,8 @@ def pkgbase_set_comaintainers(pkgbase, userlist, user, privileged):
             cur = conn.execute("INSERT INTO PackageComaintainers " +
                                "(PackageBaseID, UsersID, Priority) " +
                                "VALUES (?, ?, ?)", [pkgbase_id, userid, i])
-            subprocess.Popen((notify_cmd, 'comaintainer-add', str(pkgbase_id),
-                              str(userid)))
+            subprocess.Popen((notify_cmd, 'comaintainer-add', str(userid),
+                              str(pkgbase_id)))
         else:
             cur = conn.execute("UPDATE PackageComaintainers " +
                                "SET Priority = ? " +
@@ -179,7 +179,7 @@ def pkgbase_set_comaintainers(pkgbase, userlist, user, privileged):
                                "WHERE PackageBaseID = ? AND UsersID = ?",
                                [pkgbase_id, userid])
             subprocess.Popen((notify_cmd, 'comaintainer-remove',
-                              str(pkgbase_id), str(userid)))
+                              str(userid), str(pkgbase_id)))
 
     conn.commit()
     conn.close()
@@ -266,7 +266,7 @@ def pkgbase_disown(pkgbase, user, privileged):
     if userid == 0:
             raise aurweb.exceptions.InvalidUserException(user)
 
-    subprocess.Popen((notify_cmd, 'disown', str(pkgbase_id), str(userid)))
+    subprocess.Popen((notify_cmd, 'disown', str(userid), str(pkgbase_id)))
 
     conn.close()
 
-- 
2.18.0

More information about the aur-dev mailing list