diff options
| author | zeripath <art27@cantab.net> | 2021-03-12 17:45:49 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-03-12 18:45:49 +0100 |
| commit | 42b9b46ad22840966ecac70ae4e319c49fda3d7e (patch) | |
| tree | 783581b00b102d6795a57f0c07dac6bd18f42b0e /models/issue_label.go | |
| parent | ccfb205ad126ac6fa3490e43a8075947e05a731a (diff) | |
| download | gitea-42b9b46ad22840966ecac70ae4e319c49fda3d7e.tar.gz gitea-42b9b46ad22840966ecac70ae4e319c49fda3d7e.zip | |
Never add labels not from this repository or organisation and remove org labels on transfer (#14928)
* Never add labels not from this repository or organisation and remove org labels on transfer
Prevent the addition of labels from outside of the repository or
organisation and remove organisation labels on transfer.
Related #14908
* switch to use sql
* subquery alias
* once more around the merry go round
* fix api problem
Diffstat (limited to 'models/issue_label.go')
| -rw-r--r-- | models/issue_label.go | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/models/issue_label.go b/models/issue_label.go index 54b286fe7e..1b5cfd88d5 100644 --- a/models/issue_label.go +++ b/models/issue_label.go @@ -321,7 +321,7 @@ func GetLabelsByIDs(labelIDs []int64) ([]*Label, error) { return labels, x.Table("label"). In("id", labelIDs). Asc("name"). - Cols("id"). + Cols("id", "repo_id", "org_id"). Find(&labels) } @@ -632,6 +632,8 @@ func HasIssueLabel(issueID, labelID int64) bool { return hasIssueLabel(x, issueID, labelID) } +// newIssueLabel this function creates a new label it does not check if the label is valid for the issue +// YOU MUST CHECK THIS BEFORE THIS FUNCTION func newIssueLabel(e *xorm.Session, issue *Issue, label *Label, doer *User) (err error) { if _, err = e.Insert(&IssueLabel{ IssueID: issue.ID, @@ -671,6 +673,15 @@ func NewIssueLabel(issue *Issue, label *Label, doer *User) (err error) { return err } + if err = issue.loadRepo(sess); err != nil { + return err + } + + // Do NOT add invalid labels + if issue.RepoID != label.RepoID && issue.Repo.OwnerID != label.OrgID { + return nil + } + if err = newIssueLabel(sess, issue, label, doer); err != nil { return err } @@ -683,13 +694,19 @@ func NewIssueLabel(issue *Issue, label *Label, doer *User) (err error) { return sess.Commit() } +// newIssueLabels add labels to an issue. It will check if the labels are valid for the issue func newIssueLabels(e *xorm.Session, issue *Issue, labels []*Label, doer *User) (err error) { - for i := range labels { - if hasIssueLabel(e, issue.ID, labels[i].ID) { + if err = issue.loadRepo(e); err != nil { + return err + } + for _, label := range labels { + // Don't add already present labels and invalid labels + if hasIssueLabel(e, issue.ID, label.ID) || + (label.RepoID != issue.RepoID && label.OrgID != issue.Repo.OwnerID) { continue } - if err = newIssueLabel(e, issue, labels[i], doer); err != nil { + if err = newIssueLabel(e, issue, label, doer); err != nil { return fmt.Errorf("newIssueLabel: %v", err) } } |