diff options
| author | Gusted <williamzijl7@hotmail.com> | 2022-06-04 20:10:54 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-06-04 21:10:54 +0100 |
| commit | 744e45218579fe2fd130b91d9fb95ec4becd314d (patch) | |
| tree | fc63d6616aaf0b1901c0c410c635f66a52f7ff42 | |
| parent | 12c742f8dc25e4148c44d1265d119c35f161bf74 (diff) | |
| download | gitea-744e45218579fe2fd130b91d9fb95ec4becd314d.tar.gz gitea-744e45218579fe2fd130b91d9fb95ec4becd314d.zip | |
Move `/info` outside authorization (#19888)
- To use the web's API to get information about a issue/pull on a
repository, doesn't require authorization(nor that the repository isn't
archived).
- Regressed by: #19318
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Andrew Thornton <art27@cantab.net>
| -rw-r--r-- | routers/web/repo/issue.go | 15 | ||||
| -rw-r--r-- | routers/web/web.go | 6 |
2 files changed, 20 insertions, 1 deletions
diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go index 079ccbf6cf..d418907a1f 100644 --- a/routers/web/repo/issue.go +++ b/routers/web/repo/issue.go @@ -1799,6 +1799,21 @@ func GetIssueInfo(ctx *context.Context) { } return } + + if issue.IsPull { + // Need to check if Pulls are enabled and we can read Pulls + if !ctx.Repo.Repository.CanEnablePulls() || !ctx.Repo.CanRead(unit.TypePullRequests) { + ctx.Error(http.StatusNotFound) + return + } + } else { + // Need to check if Issues are enabled and we can read Issues + if !ctx.Repo.CanRead(unit.TypeIssues) { + ctx.Error(http.StatusNotFound) + return + } + } + ctx.JSON(http.StatusOK, convert.ToAPIIssue(issue)) } diff --git a/routers/web/web.go b/routers/web/web.go index 1e550286f9..3e837c62d0 100644 --- a/routers/web/web.go +++ b/routers/web/web.go @@ -835,6 +835,11 @@ func RegisterRoutes(m *web.Route) { m.Combo("/compare/*", repo.MustBeNotEmpty, reqRepoCodeReader, repo.SetEditorconfigIfExists). Get(ignSignIn, repo.SetDiffViewStyle, repo.SetWhitespaceBehavior, repo.CompareDiff). Post(reqSignIn, context.RepoMustNotBeArchived(), reqRepoPullsReader, repo.MustAllowPulls, bindIgnErr(forms.CreateIssueForm{}), repo.SetWhitespaceBehavior, repo.CompareAndPullRequestPost) + m.Group("/{type:issues|pulls}", func() { + m.Group("/{index}", func() { + m.Get("/info", repo.GetIssueInfo) + }) + }) }, context.RepoAssignment, context.UnitTypes()) // Grouping for those endpoints that do require authentication @@ -851,7 +856,6 @@ func RegisterRoutes(m *web.Route) { // So they can apply their own enable/disable logic on routers. m.Group("/{type:issues|pulls}", func() { m.Group("/{index}", func() { - m.Get("/info", repo.GetIssueInfo) m.Post("/title", repo.UpdateIssueTitle) m.Post("/content", repo.UpdateIssueContent) m.Post("/deadline", bindIgnErr(structs.EditDeadlineOption{}), repo.UpdateIssueDeadline) |