oss/forgejo
oss/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-09-15 18:56:59 +00:00
Code Wiki Activity

Fix comment permissions (#28213) (#28216)

Browse source 
backport #28213

This PR will fix some missed checks for private repositories' data on
web routes and API routes.

(cherry picked from commit bc3d8bff73)
This commit is contained in:
Lunny Xiao 2023-11-26 07:43:23 +08:00 committed by Earl Warren
parent 29556fafb5
commit f4310d74ee
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
39 changed files with 439 additions and 127 deletions
Download patch file Download diff file Expand all files Collapse all files

22
routers/api/v1/repo/issue.go
View file

@ -463,6 +463,24 @@ func ListIssues(ctx *context.APIContext) {
isPull = util.OptionalBoolNone
}
if isPull != util.OptionalBoolNone && !ctx.Repo.CanReadIssuesOrPulls(isPull.IsTrue()) {
ctx.NotFound()
return
}
if isPull == util.OptionalBoolNone {
canReadIssues := ctx.Repo.CanRead(unit.TypeIssues)
canReadPulls := ctx.Repo.CanRead(unit.TypePullRequests)
if !canReadIssues && !canReadPulls {
ctx.NotFound()
return
} else if !canReadIssues {
isPull = util.OptionalBoolTrue
} else if !canReadPulls {
isPull = util.OptionalBoolFalse
}
}
// FIXME: we should be more efficient here
createdByID := getUserIDForFilter(ctx, "created_by")
if ctx.Written() {
@ -594,6 +612,10 @@ func GetIssue(ctx *context.APIContext) {
}
return
}
if !ctx.Repo.CanReadIssuesOrPulls(issue.IsPull) {
ctx.NotFound()
return
}
ctx.JSON(http.StatusOK, convert.ToAPIIssue(ctx, issue))
}