oss/forgejo
oss/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-09-15 18:56:59 +00:00
Code Wiki Activity

fix(sec): web route update and delete runner variables

Browse source 
The web route to update and delete variables of runners did not check if
the ID that was given belonged to the context it was requested in, this
made it possible to update and delete every existing runner variable of
a instance for any authenticated user.

The code has been reworked to always take into account the context of
the request (owner and repository ID).
This commit is contained in:
Gusted 2025-01-25 09:26:50 +01:00 committed by Earl Warren
parent c324910c31
commit 77db7655e0
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
8 changed files with 34 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

1
options/locale/locale_en-US.ini
View file

@ -3894,6 +3894,7 @@ variables.deletion.description = Removing a variable is permanent and cannot be
variables.description = Variables will be passed to certain actions and cannot be read otherwise.
variables.id_not_exist = Variable with ID %d does not exist.
variables.edit = Edit Variable
variables.not_found = Failed to find the variable.
variables.deletion.failed = Failed to remove variable.
variables.deletion.success = The variable has been removed.
variables.creation.failed = Failed to add variable.