From 243005725c5cec78d3a51cad9c802e986f37daaa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Thu, 2 Nov 2023 15:41:10 +0100 Subject: [PATCH 01/16] enforce reqRepoReader(unit.TypeIssues) GET /repos/{owner}/{repo}/issues/pinned (cherry picked from commit 00fad97fc1b27db40a002c9ab3f709d04dc2cdd1) (cherry picked from commit 2bebe443c0d3232c5923ba7d9a099853c76e3bc5) --- routers/api/v1/api.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 6d55e8c22380c..36db0fd5df8c6 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -1149,7 +1149,7 @@ func Routes(ctx gocontext.Context) *web.Route { m.Group("/issues", func() { m.Combo("").Get(repo.ListIssues). Post(reqToken(), mustNotBeArchived, bind(api.CreateIssueOption{}), repo.CreateIssue) - m.Get("/pinned", repo.ListPinnedIssues) + m.Get("/pinned", reqRepoReader(unit.TypeIssues), repo.ListPinnedIssues) m.Group("/comments", func() { m.Get("", repo.ListRepoIssueComments) m.Group("/{id}", func() { From 878aac1a6b874920720a56ef39762880fe142d02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Thu, 2 Nov 2023 15:42:22 +0100 Subject: [PATCH 02/16] enforce reqRepoReader(unit.TypeIssues) POST /repos/{owner}/{repo}/issues (cherry picked from commit d3db2fa8bc85e9d67f30854bba0a4c1e8b57b015) (cherry picked from commit d09ce1d18465f9b6df31813cbdcd006a137a0147) --- routers/api/v1/api.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 36db0fd5df8c6..6cb1790f3e385 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -1148,7 +1148,7 @@ func Routes(ctx gocontext.Context) *web.Route { m.Group("/{username}/{reponame}", func() { m.Group("/issues", func() { m.Combo("").Get(repo.ListIssues). - Post(reqToken(), mustNotBeArchived, bind(api.CreateIssueOption{}), repo.CreateIssue) + Post(reqToken(), mustNotBeArchived, bind(api.CreateIssueOption{}), reqRepoReader(unit.TypeIssues), repo.CreateIssue) m.Get("/pinned", reqRepoReader(unit.TypeIssues), repo.ListPinnedIssues) m.Group("/comments", func() { m.Get("", repo.ListRepoIssueComments) From 69027eb503bfecbbe5b0288ae69ed1eb172762f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Thu, 2 Nov 2023 13:51:33 +0100 Subject: [PATCH 03/16] fix API usage of a PR index in place of issue index and vice versa (cherry picked from commit 7b95266de083c8de0ff224530a9b69e82c52c344) (cherry picked from commit a4b1ae5d84ce7340f6f353033fd18b1c1d42f065) --- models/issues/comment.go | 6 +++++- routers/api/v1/repo/issue.go | 22 +++++++++++++++++++ routers/api/v1/repo/issue_comment.go | 32 ++++++++++++++++++++++++++++ 3 files changed, 59 insertions(+), 1 deletion(-) diff --git a/models/issues/comment.go b/models/issues/comment.go index 303c23916ba2a..521becd2a0826 100644 --- a/models/issues/comment.go +++ b/models/issues/comment.go @@ -1014,6 +1014,7 @@ type FindCommentsOptions struct { Type CommentType IssueIDs []int64 Invalidated util.OptionalBool + IsPull util.OptionalBool } // ToConds implements FindOptions interface @@ -1048,6 +1049,9 @@ func (opts *FindCommentsOptions) ToConds() builder.Cond { if !opts.Invalidated.IsNone() { cond = cond.And(builder.Eq{"comment.invalidated": opts.Invalidated.IsTrue()}) } + if opts.IsPull != util.OptionalBoolNone { + cond = cond.And(builder.Eq{"issue.is_pull": opts.IsPull.IsTrue()}) + } return cond } @@ -1055,7 +1059,7 @@ func (opts *FindCommentsOptions) ToConds() builder.Cond { func FindComments(ctx context.Context, opts *FindCommentsOptions) (CommentList, error) { comments := make([]*Comment, 0, 10) sess := db.GetEngine(ctx).Where(opts.ToConds()) - if opts.RepoID > 0 { + if opts.RepoID > 0 || opts.IsPull != util.OptionalBoolNone { sess.Join("INNER", "issue", "issue.id = comment.issue_id") } diff --git a/routers/api/v1/repo/issue.go b/routers/api/v1/repo/issue.go index 49252f7a4b49a..8755919f8aa9a 100644 --- a/routers/api/v1/repo/issue.go +++ b/routers/api/v1/repo/issue.go @@ -451,6 +451,24 @@ func ListIssues(ctx *context.APIContext) { isPull = util.OptionalBoolNone } + if isPull != util.OptionalBoolNone && !ctx.Repo.CanWriteIssuesOrPulls(isPull.IsTrue()) { + ctx.NotFound() + return + } + + if isPull == util.OptionalBoolNone { + canReadIssues := ctx.Repo.CanRead(unit.TypeIssues) + canReadPulls := ctx.Repo.CanRead(unit.TypePullRequests) + if !canReadIssues && !canReadPulls { + ctx.NotFound() + return + } else if !canReadIssues { + isPull = util.OptionalBoolTrue + } else if !canReadPulls { + isPull = util.OptionalBoolFalse + } + } + // FIXME: we should be more efficient here createdByID := getUserIDForFilter(ctx, "created_by") if ctx.Written() { @@ -561,6 +579,10 @@ func GetIssue(ctx *context.APIContext) { } return } + if !ctx.Repo.CanReadIssuesOrPulls(issue.IsPull) { + ctx.NotFound() + return + } ctx.JSON(http.StatusOK, convert.ToAPIIssue(ctx, issue)) } diff --git a/routers/api/v1/repo/issue_comment.go b/routers/api/v1/repo/issue_comment.go index c2392126db906..b4b7a3ddd39cd 100644 --- a/routers/api/v1/repo/issue_comment.go +++ b/routers/api/v1/repo/issue_comment.go @@ -12,9 +12,11 @@ import ( issues_model "code.gitea.io/gitea/models/issues" access_model "code.gitea.io/gitea/models/perm/access" repo_model "code.gitea.io/gitea/models/repo" + "code.gitea.io/gitea/models/unit" user_model "code.gitea.io/gitea/models/user" "code.gitea.io/gitea/modules/context" api "code.gitea.io/gitea/modules/structs" + "code.gitea.io/gitea/modules/util" "code.gitea.io/gitea/modules/web" "code.gitea.io/gitea/routers/api/v1/utils" "code.gitea.io/gitea/services/convert" @@ -69,6 +71,11 @@ func ListIssueComments(ctx *context.APIContext) { ctx.Error(http.StatusInternalServerError, "GetRawIssueByIndex", err) return } + if !ctx.Repo.CanReadIssuesOrPulls(issue.IsPull) { + ctx.NotFound() + return + } + issue.Repo = ctx.Repo.Repository opts := &issues_model.FindCommentsOptions{ @@ -265,12 +272,27 @@ func ListRepoIssueComments(ctx *context.APIContext) { return } + var isPull util.OptionalBool + canReadIssue := ctx.Repo.CanRead(unit.TypeIssues) + canReadPull := ctx.Repo.CanRead(unit.TypePullRequests) + if canReadIssue && canReadPull { + isPull = util.OptionalBoolNone + } else if canReadIssue { + isPull = util.OptionalBoolFalse + } else if canReadPull { + isPull = util.OptionalBoolTrue + } else { + ctx.NotFound() + return + } + opts := &issues_model.FindCommentsOptions{ ListOptions: utils.GetListOptions(ctx), RepoID: ctx.Repo.Repository.ID, Type: issues_model.CommentTypeComment, Since: since, Before: before, + IsPull: isPull, } comments, err := issues_model.FindComments(ctx, opts) @@ -357,6 +379,11 @@ func CreateIssueComment(ctx *context.APIContext) { return } + if !ctx.Repo.CanReadIssuesOrPulls(issue.IsPull) { + ctx.NotFound() + return + } + if issue.IsLocked && !ctx.Repo.CanWriteIssuesOrPulls(issue.IsPull) && !ctx.Doer.IsAdmin { ctx.Error(http.StatusForbidden, "CreateIssueComment", errors.New(ctx.Tr("repo.issues.comment_on_locked"))) return @@ -426,6 +453,11 @@ func GetIssueComment(ctx *context.APIContext) { return } + if !ctx.Repo.CanReadIssuesOrPulls(comment.Issue.IsPull) { + ctx.NotFound() + return + } + if comment.Type != issues_model.CommentTypeComment { ctx.Status(http.StatusNoContent) return From 3beddaf28a8d85a5247907911f515a8f59e07a32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Thu, 2 Nov 2023 14:49:43 +0100 Subject: [PATCH 04/16] fix PATCH /api/v1/repos/{owner}/{repo}/issues/comments/{id} (cherry picked from commit 51c280e877765efe721e607aa95bcbb5aef364e0) (cherry picked from commit 46b3f76f3ef7146dd5ec965e7baf0d4683b3e436) --- routers/api/v1/repo/issue_comment.go | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/routers/api/v1/repo/issue_comment.go b/routers/api/v1/repo/issue_comment.go index b4b7a3ddd39cd..9422f6e0af056 100644 --- a/routers/api/v1/repo/issue_comment.go +++ b/routers/api/v1/repo/issue_comment.go @@ -576,7 +576,17 @@ func editIssueComment(ctx *context.APIContext, form api.EditIssueCommentOption) return } - if !ctx.IsSigned || (ctx.Doer.ID != comment.PosterID && !ctx.Repo.IsAdmin()) { + if err := comment.LoadIssue(ctx); err != nil { + ctx.Error(http.StatusInternalServerError, "LoadIssue", err) + return + } + + if comment.Issue.RepoID != ctx.Repo.Repository.ID { + ctx.Status(http.StatusNotFound) + return + } + + if !ctx.IsSigned || (ctx.Doer.ID != comment.PosterID && !ctx.Repo.CanWriteIssuesOrPulls(comment.Issue.IsPull)) { ctx.Status(http.StatusForbidden) return } From 7908752326210f0749a8e5d50718b29a4c83244c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Thu, 2 Nov 2023 15:14:32 +0100 Subject: [PATCH 05/16] fix {DELETE,POST} /repos/{owner}/{repo}/issues/comments/{id}/reactions (cherry picked from commit f499075c53752f983c6e4f8af17c449926ba94d9) (cherry picked from commit 15c4a823ae00ed10af38b32cd25eb1f4adbff33b) --- routers/api/v1/repo/issue_reaction.go | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/routers/api/v1/repo/issue_reaction.go b/routers/api/v1/repo/issue_reaction.go index 921f6e53f9c00..3c59d5e6d6b31 100644 --- a/routers/api/v1/repo/issue_reaction.go +++ b/routers/api/v1/repo/issue_reaction.go @@ -184,9 +184,19 @@ func changeIssueCommentReaction(ctx *context.APIContext, form api.EditReactionOp return } - err = comment.LoadIssue(ctx) - if err != nil { + if err = comment.LoadIssue(ctx); err != nil { ctx.Error(http.StatusInternalServerError, "comment.LoadIssue() failed", err) + return + } + + if comment.Issue.RepoID != ctx.Repo.Repository.ID { + ctx.NotFound() + return + } + + if !ctx.Repo.CanReadIssuesOrPulls(comment.Issue.IsPull) { + ctx.NotFound() + return } if comment.Issue.IsLocked && !ctx.Repo.CanWriteIssuesOrPulls(comment.Issue.IsPull) { From 8ee5c30028c775c4dfeb92e8f90416718aa5e82d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Thu, 2 Nov 2023 15:19:12 +0100 Subject: [PATCH 06/16] fix GET /repos/{owner}/{repo}/issues/comments/{id}/reactions (cherry picked from commit a146e3d0f9ff8ac1aee4be8a3632c76b35fc3482) (cherry picked from commit 87850fb29781a17a0b1ea13fbcb23fec166d0936) --- routers/api/v1/repo/issue_reaction.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/routers/api/v1/repo/issue_reaction.go b/routers/api/v1/repo/issue_reaction.go index 3c59d5e6d6b31..00cf79f08686a 100644 --- a/routers/api/v1/repo/issue_reaction.go +++ b/routers/api/v1/repo/issue_reaction.go @@ -59,6 +59,12 @@ func GetIssueCommentReactions(ctx *context.APIContext) { if err := comment.LoadIssue(ctx); err != nil { ctx.Error(http.StatusInternalServerError, "comment.LoadIssue", err) + return + } + + if comment.Issue.RepoID != ctx.Repo.Repository.ID { + ctx.NotFound() + return } if !ctx.Repo.CanReadIssuesOrPulls(comment.Issue.IsPull) { From e0aecb1825dfff063dc11a35ac3bb9cac3c1ae6a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Thu, 2 Nov 2023 15:31:34 +0100 Subject: [PATCH 07/16] fix DELETE /api/v1/repos/{owner}/{repo}/issues/comments/{id} (cherry picked from commit 521eed2312f45bef7de28c9c03c04257862a453c) (cherry picked from commit 5d04e9f31430db6f8af8d16b76556d807e595396) --- routers/api/v1/repo/issue_comment.go | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/routers/api/v1/repo/issue_comment.go b/routers/api/v1/repo/issue_comment.go index 9422f6e0af056..a898d1ecf0bba 100644 --- a/routers/api/v1/repo/issue_comment.go +++ b/routers/api/v1/repo/issue_comment.go @@ -689,7 +689,17 @@ func deleteIssueComment(ctx *context.APIContext) { return } - if !ctx.IsSigned || (ctx.Doer.ID != comment.PosterID && !ctx.Repo.IsAdmin()) { + if err := comment.LoadIssue(ctx); err != nil { + ctx.Error(http.StatusInternalServerError, "LoadIssue", err) + return + } + + if comment.Issue.RepoID != ctx.Repo.Repository.ID { + ctx.Status(http.StatusNotFound) + return + } + + if !ctx.IsSigned || (ctx.Doer.ID != comment.PosterID && !ctx.Repo.CanWriteIssuesOrPulls(comment.Issue.IsPull)) { ctx.Status(http.StatusForbidden) return } else if comment.Type != issues_model.CommentTypeComment { From 6b54fb2ef7a18dab12a680684f87832ad844be80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Thu, 2 Nov 2023 16:41:34 +0100 Subject: [PATCH 08/16] fix POST /{owner}/{repo}/comments/{id}/delete (cherry picked from commit 1b57d8493882d9d659164acd3b4a5a99c769d8ed) (cherry picked from commit 2b56c0c93f8f502a6988a7550f7ed210b3955fb4) --- routers/web/repo/issue.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go index f629a90476aab..81a195f5f4620 100644 --- a/routers/web/repo/issue.go +++ b/routers/web/repo/issue.go @@ -3034,6 +3034,11 @@ func DeleteComment(ctx *context.Context) { return } + if comment.Issue.RepoID != ctx.Repo.Repository.ID { + ctx.NotFound("CompareRepoID", issues_model.ErrCommentNotExist{}) + return + } + if !ctx.IsSigned || (ctx.Doer.ID != comment.PosterID && !ctx.Repo.CanWriteIssuesOrPulls(comment.Issue.IsPull)) { ctx.Error(http.StatusForbidden) return From c56e556c64a56ae5dfad064864956cf1963b738b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Thu, 2 Nov 2023 17:00:30 +0100 Subject: [PATCH 09/16] fix POST /{owner}/{repo}/comments/{id} (cherry picked from commit 385a1f337462bec34ccc389d4efe21e3b2be8465) (cherry picked from commit b43e14de818d67a090c292e6068791350237ac94) --- routers/web/repo/issue.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go index 81a195f5f4620..bf0da8e121b4d 100644 --- a/routers/web/repo/issue.go +++ b/routers/web/repo/issue.go @@ -2968,6 +2968,11 @@ func UpdateCommentContent(ctx *context.Context) { return } + if comment.Issue.RepoID != ctx.Repo.Repository.ID { + ctx.NotFound("CompareRepoID", issues_model.ErrCommentNotExist{}) + return + } + if !ctx.IsSigned || (ctx.Doer.ID != comment.PosterID && !ctx.Repo.CanWriteIssuesOrPulls(comment.Issue.IsPull)) { ctx.Error(http.StatusForbidden) return From de95474eff8fad2f3911545f45026c193c91c8be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Thu, 2 Nov 2023 17:03:48 +0100 Subject: [PATCH 10/16] fix POST /{owner}/{repo}/comments/{id}/reactions/{action} (cherry picked from commit 21d4556cbeb9d0f825398114ba3a4816f331315b) (cherry picked from commit b8edf1b7c8557a8336125b0e08b263ec51cf9188) --- routers/web/repo/issue.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go index bf0da8e121b4d..b8c0a3731e117 100644 --- a/routers/web/repo/issue.go +++ b/routers/web/repo/issue.go @@ -3170,6 +3170,11 @@ func ChangeCommentReaction(ctx *context.Context) { return } + if comment.Issue.RepoID != ctx.Repo.Repository.ID { + ctx.NotFound("CompareRepoID", issues_model.ErrCommentNotExist{}) + return + } + if !ctx.IsSigned || (ctx.Doer.ID != comment.PosterID && !ctx.Repo.CanReadIssuesOrPulls(comment.Issue.IsPull)) { if log.IsTrace() { if ctx.IsSigned { From 95236f2e2c8c5b7ff7a4cf4bb463814dd075436d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Sun, 12 Nov 2023 13:00:51 +0100 Subject: [PATCH 11/16] fix GET /{owner}/{repo}/comments/{id}/attachments (cherry picked from commit aed193ef9f5d59aed12cfd7518765d5598c7999f) (cherry picked from commit c6b84c771a8070b83c582be8d7a7f4d3219e4617) --- routers/web/repo/issue.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go index b8c0a3731e117..a8d88a2fd51cf 100644 --- a/routers/web/repo/issue.go +++ b/routers/web/repo/issue.go @@ -3318,6 +3318,16 @@ func GetCommentAttachments(ctx *context.Context) { return } + if err := comment.LoadIssue(ctx); err != nil { + ctx.NotFoundOrServerError("LoadIssue", issues_model.IsErrIssueNotExist, err) + return + } + + if comment.Issue.RepoID != ctx.Repo.Repository.ID { + ctx.NotFound("CompareRepoID", issues_model.ErrCommentNotExist{}) + return + } + if !comment.Type.HasAttachmentSupport() { ctx.ServerError("GetCommentAttachments", fmt.Errorf("comment type %v does not support attachments", comment.Type)) return From 655bac15eb507c831fa23faff4e71075c8b45029 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Sun, 12 Nov 2023 18:24:56 +0100 Subject: [PATCH 12/16] fix POST /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/soft-delete (cherry picked from commit a11d82a42729eba02032310f7778a9197f4f8ead) (cherry picked from commit 208abc79c8f1eddea36a80df52db9a5ead795ad4) --- routers/web/repo/issue_content_history.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/routers/web/repo/issue_content_history.go b/routers/web/repo/issue_content_history.go index 3dd7725c21506..23255e774f6f3 100644 --- a/routers/web/repo/issue_content_history.go +++ b/routers/web/repo/issue_content_history.go @@ -194,11 +194,19 @@ func SoftDeleteContentHistory(ctx *context.Context) { log.Error("can not get comment for issue content history %v. err=%v", historyID, err) return } + if comment.IssueID != issue.ID { + ctx.NotFound("CompareRepoID", issues_model.ErrCommentNotExist{}) + return + } } if history, err = issues_model.GetIssueContentHistoryByID(ctx, historyID); err != nil { log.Error("can not get issue content history %v. err=%v", historyID, err) return } + if history.IssueID != issue.ID { + ctx.NotFound("CompareRepoID", issues_model.ErrCommentNotExist{}) + return + } canSoftDelete := canSoftDeleteContentHistory(ctx, issue, comment, history) if !canSoftDelete { From 7425fa52322a683528f6ad382ca3fb04b0cfad01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Sun, 12 Nov 2023 18:45:40 +0100 Subject: [PATCH 13/16] fix GET /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/detail (cherry picked from commit 0853dec293dd632a03948f66af69e75dd582a92d) (cherry picked from commit bfb3dece737a03cdb81d791bf1af6d1b29a78999) --- routers/web/repo/issue_content_history.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/routers/web/repo/issue_content_history.go b/routers/web/repo/issue_content_history.go index 23255e774f6f3..bc0945c9d1314 100644 --- a/routers/web/repo/issue_content_history.go +++ b/routers/web/repo/issue_content_history.go @@ -125,6 +125,10 @@ func GetContentHistoryDetail(ctx *context.Context) { }) return } + if history.IssueID != issue.ID { + ctx.NotFound("CompareRepoID", issues_model.ErrCommentNotExist{}) + return + } // get the related comment if this history revision is for a comment, otherwise the history revision is for an issue. var comment *issues_model.Comment From 314e68acfa1749cadca8b25204a8b505802d9808 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Sun, 12 Nov 2023 20:02:07 +0100 Subject: [PATCH 14/16] fix POST /{username}/{reponame}/{tags,release}/delete (cherry picked from commit a6d2ad6310f754952998fd73118da9f91c563145) (cherry picked from commit fc7d68e3adfd257de92df389448d68fe9c1ca235) --- routers/web/repo/release.go | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/routers/web/repo/release.go b/routers/web/repo/release.go index 8dc78079e21cf..7adb22667e247 100644 --- a/routers/web/repo/release.go +++ b/routers/web/repo/release.go @@ -592,7 +592,17 @@ func DeleteTag(ctx *context.Context) { } func deleteReleaseOrTag(ctx *context.Context, isDelTag bool) { - if err := releaseservice.DeleteReleaseByID(ctx, ctx.FormInt64("id"), ctx.Doer, isDelTag); err != nil { + id := ctx.FormInt64("id") + rel, err := repo_model.GetReleaseByID(ctx, id) + if err != nil { + ctx.ServerError("GetRelease", err) + return + } + if ctx.Repo.Repository.ID != rel.RepoID { + ctx.NotFound("CompareRepoID", repo_model.ErrReleaseNotExist{}) + return + } + if err := releaseservice.DeleteReleaseByID(ctx, id, ctx.Doer, isDelTag); err != nil { if models.IsErrProtectedTagName(err) { ctx.Flash.Error(ctx.Tr("repo.release.tag_name_protected")) } else { From c800bd0de58f49e30f71ef7b9c67e2f0ae871f6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Sun, 12 Nov 2023 22:45:59 +0100 Subject: [PATCH 15/16] fix GET /api/v1/repos/{owner}/{repo}/keys/{id} (cherry picked from commit 768238d9f9982e99ad4cbf3942d2d2db5126a150) Conflicts: routers/api/v1/repo/key.go trivial context conflict (cherry picked from commit 1fbd0f41bccaa8e5f85eea350a9131bd25d7ed41) --- routers/api/v1/repo/key.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/routers/api/v1/repo/key.go b/routers/api/v1/repo/key.go index 824880880a014..4d25df910820a 100644 --- a/routers/api/v1/repo/key.go +++ b/routers/api/v1/repo/key.go @@ -155,6 +155,11 @@ func GetDeployKey(ctx *context.APIContext) { return } + if key.RepoID != ctx.Repo.Repository.ID { + ctx.Status(http.StatusNotFound) + return + } + if err = key.GetContent(); err != nil { ctx.Error(http.StatusInternalServerError, "GetContent", err) return From 1016ea68427ba22ae8f94a0f7cc900e7ccd5a069 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Mon, 20 Nov 2023 16:34:19 +0100 Subject: [PATCH 16/16] fix POST /{username}/{reponame}/{type:issues|pulls}/move_pin (cherry picked from commit 7eda733ed6a22c08a85fdc90deec0c440427cef7) (cherry picked from commit d1e5007866d28cc940644de3f693729dbe0b9602) --- routers/web/repo/issue_pin.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/routers/web/repo/issue_pin.go b/routers/web/repo/issue_pin.go index bbfeaee6e8523..977744b52dbd1 100644 --- a/routers/web/repo/issue_pin.go +++ b/routers/web/repo/issue_pin.go @@ -89,6 +89,10 @@ func IssuePinMove(ctx *context.Context) { log.Error(err.Error()) return } + if issue.RepoID != ctx.Repo.Repository.ID { + ctx.NotFound("CompareRepoID", issues_model.ErrCommentNotExist{}) + return + } err = issue.MovePin(ctx, form.Position) if err != nil {