fixed vulnerabilities on deleting release (#399)

author: Lunny Xiao <xiaolunwen@gmail.com> 2016-12-16 19:42:39 +0800
committer: GitHub <noreply@github.com> 2016-12-16 19:42:39 +0800
commit: 15c3d14d554f95423ea34ceeb0dc91bc479861f2 (patch)
tree: 5963a8a2aa6f85711ba7a3022e4651ffd85cca63 /models/release.go
parent: 8aeeed0a2387523173452f1e26f0637f390a3daf (diff)
download: gitea-15c3d14d554f95423ea34ceeb0dc91bc479861f2.tar.gz
gitea-15c3d14d554f95423ea34ceeb0dc91bc479861f2.zip
1 files changed, 8 insertions, 1 deletions
diff --git a/models/release.go b/models/release.go
index c047b2f557..41fd145bea 100644
--- a/models/release.go
+++ b/models/release.go
@@ -189,7 +189,7 @@ func UpdateRelease(gitRepo *git.Repository, rel *Release) (err error) {
 }
 
 // DeleteReleaseByID deletes a release and corresponding Git tag by given ID.
-func DeleteReleaseByID(id int64) error {
+func DeleteReleaseByID(id int64, u *User) error {
 	rel, err := GetReleaseByID(id)
 	if err != nil {
 		return fmt.Errorf("GetReleaseByID: %v", err)
@@ -200,6 +200,13 @@ func DeleteReleaseByID(id int64) error {
 		return fmt.Errorf("GetRepositoryByID: %v", err)
 	}
 
+	has, err := HasAccess(u, repo, AccessModeWrite)
+	if err != nil {
+		return fmt.Errorf("HasAccess: %v", err)
+	} else if !has {
+		return fmt.Errorf("DeleteReleaseByID: permission denied")
+	}
+
 	_, stderr, err := process.ExecDir(-1, repo.RepoPath(),
 		fmt.Sprintf("DeleteReleaseByID (git tag -d): %d", rel.ID),
 		"git", "tag", "-d", rel.TagName)
author	Lunny Xiao <xiaolunwen@gmail.com>	2016-12-16 19:42:39 +0800
committer	GitHub <noreply@github.com>	2016-12-16 19:42:39 +0800
commit	15c3d14d554f95423ea34ceeb0dc91bc479861f2 (patch)
tree	5963a8a2aa6f85711ba7a3022e4651ffd85cca63 /models/release.go
parent	8aeeed0a2387523173452f1e26f0637f390a3daf (diff)
download	gitea-15c3d14d554f95423ea34ceeb0dc91bc479861f2.tar.gz gitea-15c3d14d554f95423ea34ceeb0dc91bc479861f2.zip