Only delete secrets belonging to its owner (#24284)

KN4CK3R · web-flow · commit b3e849d1d657 · 2023-04-23T21:35:14.000+08:00
diff --git a/routers/web/org/setting_secrets.go b/routers/web/org/setting_secrets.go
@@ -43,6 +43,8 @@ func SecretsPost(ctx *context.Context) {
 func SecretsDelete(ctx *context.Context) {
 	shared.PerformSecretsDelete(
 		ctx,
+		ctx.ContextUser.ID,
+		0,
 		ctx.Org.OrgLink+"/settings/secrets",
 	)
 }
diff --git a/routers/web/repo/setting_secrets.go b/routers/web/repo/setting_secrets.go
@@ -41,6 +41,8 @@ func SecretsPost(ctx *context.Context) {
 func DeleteSecret(ctx *context.Context) {
 	shared.PerformSecretsDelete(
 		ctx,
+		0,
+		ctx.Repo.Repository.ID,
 		ctx.Repo.RepoLink+"/settings/secrets",
 	)
 }
diff --git a/routers/web/shared/secrets/secrets.go b/routers/web/shared/secrets/secrets.go
@@ -38,10 +38,10 @@ func PerformSecretsPost(ctx *context.Context, ownerID, repoID int64, redirectURL
 	ctx.Redirect(redirectURL)
 }
 
-func PerformSecretsDelete(ctx *context.Context, redirectURL string) {
+func PerformSecretsDelete(ctx *context.Context, ownerID, repoID int64, redirectURL string) {
 	id := ctx.FormInt64("id")
 
-	if _, err := db.DeleteByBean(ctx, &secret_model.Secret{ID: id}); err != nil {
+	if _, err := db.DeleteByBean(ctx, &secret_model.Secret{ID: id, OwnerID: ownerID, RepoID: repoID}); err != nil {
 		log.Error("Delete secret %d failed: %v", id, err)
 		ctx.Flash.Error(ctx.Tr("secrets.deletion.failed"))
 	} else {
diff --git a/routers/web/user/setting/secrets.go b/routers/web/user/setting/secrets.go
@@ -40,6 +40,8 @@ func SecretsPost(ctx *context.Context) {
 func SecretsDelete(ctx *context.Context) {
 	shared.PerformSecretsDelete(
 		ctx,
+		ctx.Doer.ID,
+		0,
 		setting.AppSubURL+"/user/settings/secrets",
 	)
 }

Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,8 @@ func SecretsPost(ctx *context.Context) {`
`43`	`43`	`func SecretsDelete(ctx *context.Context) {`
`44`	`44`	`shared.PerformSecretsDelete(`
`45`	`45`	`ctx,`
	`46`	`+ ctx.ContextUser.ID,`
	`47`	`+ 0,`
`46`	`48`	`ctx.Org.OrgLink+"/settings/secrets",`
`47`	`49`	`)`
`48`	`50`	`}`
Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,8 @@ func SecretsPost(ctx *context.Context) {`
`41`	`41`	`func DeleteSecret(ctx *context.Context) {`
`42`	`42`	`shared.PerformSecretsDelete(`
`43`	`43`	`ctx,`
	`44`	`+ 0,`
	`45`	`+ ctx.Repo.Repository.ID,`
`44`	`46`	`ctx.Repo.RepoLink+"/settings/secrets",`
`45`	`47`	`)`
`46`	`48`	`}`
Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,8 @@ func SecretsPost(ctx *context.Context) {`
`40`	`40`	`func SecretsDelete(ctx *context.Context) {`
`41`	`41`	`shared.PerformSecretsDelete(`
`42`	`42`	`ctx,`
	`43`	`+ ctx.Doer.ID,`
	`44`	`+ 0,`
`43`	`45`	`setting.AppSubURL+"/user/settings/secrets",`
`44`	`46`	`)`
`45`	`47`	`}`