Only allow returned deleted branche to be on repo (#17570)

- This will only allow `GetDeletedBranchByID` to return deletedBranch
which are on the repo, and thus don't return a deletedBranch from
another repo.
- This just should prevent possible bugs in the futher when a code is
passing the wrong ID into this function.

diff --git a/models/branches.go b/models/branches.go
index 3c62c7a87bd830b4219ea9073c7d7010e1c36fd4..caca9e23fee7d91ea2cfcdcb3e7a3651d59fb07c 100644 (file)
--- a/models/branches.go
+++ b/models/branches.go
@@ -536,7 +536,7 @@ func (repo *Repository) GetDeletedBranches() ([]*DeletedBranch, error) {
 // GetDeletedBranchByID get a deleted branch by its ID
 func (repo *Repository) GetDeletedBranchByID(id int64) (*DeletedBranch, error) {
        deletedBranch := &DeletedBranch{}
-       has, err := db.GetEngine(db.DefaultContext).ID(id).Get(deletedBranch)
+       has, err := db.GetEngine(db.DefaultContext).Where("repo_id = ?", repo.ID).And("id = ?", id).Get(deletedBranch)
        if err != nil {
                return nil, err
        }

diff --git a/models/branches_test.go b/models/branches_test.go
index f1dcfecfa8be2835bca493fd8a16c59273ea794c..e9a32666f9da2f1c654e2629e29ede5708561083 100644 (file)
--- a/models/branches_test.go
+++ b/models/branches_test.go
@@ -128,3 +128,28 @@ func TestRenameBranch(t *testing.T) {
                BranchName: "main",
        })
 }
+
+func TestOnlyGetDeletedBranchOnCorrectRepo(t *testing.T) {
+       assert.NoError(t, db.PrepareTestDatabase())
+
+       // Get deletedBranch with ID of 1 on repo with ID 2.
+       // This should return a nil branch as this deleted branch
+       // is actually on repo with ID 1.
+       repo2 := db.AssertExistsAndLoadBean(t, &Repository{ID: 2}).(*Repository)
+
+       deletedBranch, err := repo2.GetDeletedBranchByID(1)
+
+       // Expect no error, and the returned branch is nil.
+       assert.NoError(t, err)
+       assert.Nil(t, deletedBranch)
+
+       // Now get the deletedBranch with ID of 1 on repo with ID 1.
+       // This should return the deletedBranch.
+       repo1 := db.AssertExistsAndLoadBean(t, &Repository{ID: 1}).(*Repository)
+
+       deletedBranch, err = repo1.GetDeletedBranchByID(1)
+
+       // Expect no error, and the returned branch to be not nil.
+       assert.NoError(t, err)
+       assert.NotNil(t, deletedBranch)
+}