summaryrefslogtreecommitdiffstats
path: root/models
diff options
context:
space:
mode:
authorzeripath <art27@cantab.net>2021-03-19 13:25:14 +0000
committerGitHub <noreply@github.com>2021-03-19 21:25:14 +0800
commitdace0ce1b191d060976bac08f181ca768fc027a0 (patch)
tree6258fb4991c3ce80c1d188f76d8d561e859e442a /models
parent54d7b0f8e737cda864af981b29dda5116fc5f9ca (diff)
downloadgitea-dace0ce1b191d060976bac08f181ca768fc027a0.tar.gz
gitea-dace0ce1b191d060976bac08f181ca768fc027a0.zip
Prevent addition of labels from outside the repository or organisation in issues (#14912)
* Never add labels not from this repository or organisation and remove org labels on transfer Prevent the addition of labels from outside of the repository or organisation and remove organisation labels on transfer. Related #14908 Signed-off-by: Andrew Thornton <art27@cantab.net> * switch to use sql Signed-off-by: Andrew Thornton <art27@cantab.net> * remove AS Signed-off-by: Andrew Thornton <art27@cantab.net> * subquery alias Signed-off-by: Andrew Thornton <art27@cantab.net> * Give me some AS? Signed-off-by: Andrew Thornton <art27@cantab.net> * double AS Signed-off-by: Andrew Thornton <art27@cantab.net> * try try again Signed-off-by: Andrew Thornton <art27@cantab.net> * once more around the merry go round Signed-off-by: Andrew Thornton <art27@cantab.net> * fix api problem Signed-off-by: Andrew Thornton <art27@cantab.net> * Add outside label consistency check into doctor This PR adds another consistency check into doctor in order to detect labels that have been added from outside of repositories and organisations Fix #14908 Signed-off-by: Andrew Thornton <art27@cantab.net> * fix migration Signed-off-by: Andrew Thornton <art27@cantab.net> * prep for merge Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lauris BH <lauris@nix.lv>
Diffstat (limited to 'models')
-rw-r--r--models/consistency.go58
-rw-r--r--models/migrations/migrations.go2
-rw-r--r--models/migrations/v176.go74
3 files changed, 134 insertions, 0 deletions
diff --git a/models/consistency.go b/models/consistency.go
index 3a2208014d..bed94d9395 100644
--- a/models/consistency.go
+++ b/models/consistency.go
@@ -319,6 +319,64 @@ func FixCommentTypeLabelWithEmptyLabel() (int64, error) {
return x.Where(builder.Eq{"type": CommentTypeLabel, "label_id": 0}).Delete(new(Comment))
}
+// CountCommentTypeLabelWithOutsideLabels count label comments with outside label
+func CountCommentTypeLabelWithOutsideLabels() (int64, error) {
+ return x.Where("comment.type = ? AND (issue.repo_id != label.repo_id OR (label.repo_id = 0 AND repository.owner_id != label.org_id))", CommentTypeLabel).
+ Table("comment").
+ Join("inner", "label", "label.id = comment.label_id").
+ Join("inner", "issue", "issue.id = comment.issue_id ").
+ Join("inner", "repository", "issue.repo_id = repository.id").
+ Count(new(Comment))
+}
+
+// FixCommentTypeLabelWithOutsideLabels count label comments with outside label
+func FixCommentTypeLabelWithOutsideLabels() (int64, error) {
+ res, err := x.Exec(`DELETE FROM comment WHERE comment.id IN (
+ SELECT il_too.id FROM (
+ SELECT com.id
+ FROM comment AS com
+ INNER JOIN label ON com.label_id = label.id
+ INNER JOIN issue on issue.id = com.issue_id
+ WHERE
+ com.type = ? AND (issue.repo_id != label.repo_id OR (label.repo_id = 0 AND label.org_id != repo.owner_id))
+ ) AS il_too)`, CommentTypeLabel)
+ if err != nil {
+ return 0, err
+ }
+
+ return res.RowsAffected()
+}
+
+// CountIssueLabelWithOutsideLabels count label comments with outside label
+func CountIssueLabelWithOutsideLabels() (int64, error) {
+ return x.Where(builder.Expr("issue.repo_id != label.repo_id OR (label.repo_id = 0 AND repository.owner_id != label.org_id)")).
+ Table("issue_label").
+ Join("inner", "label", "issue_label.id = label.id ").
+ Join("inner", "issue", "issue.id = issue_label.issue_id ").
+ Join("inner", "repository", "issue.repo_id = repository.id").
+ Count(new(IssueLabel))
+}
+
+// FixIssueLabelWithOutsideLabels fix label comments with outside label
+func FixIssueLabelWithOutsideLabels() (int64, error) {
+ res, err := x.Exec(`DELETE FROM issue_label WHERE issue_label.id IN (
+ SELECT il_too.id FROM (
+ SELECT il_too_too.id
+ FROM issue_label AS il_too_too
+ INNER JOIN label ON il_too_too.id = label.id
+ INNER JOIN issue on issue.id = il_too_too.issue_id
+ INNER JOIN repository on repository.id = issue.repo_id
+ WHERE
+ issue.repo_id != label.repo_id OR (label.repo_id = 0 AND label.org_id != repository.owner_id)
+ ) AS il_too )`)
+
+ if err != nil {
+ return 0, err
+ }
+
+ return res.RowsAffected()
+}
+
// CountBadSequences looks for broken sequences from recreate-table mistakes
func CountBadSequences() (int64, error) {
if !setting.Database.UsePostgreSQL {
diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go
index f46d151b7b..3427b5dec1 100644
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@@ -298,6 +298,8 @@ var migrations = []Migration{
NewMigration("create repo transfer table", addRepoTransfer),
// v175 -> v176
NewMigration("Fix Postgres ID Sequences broken by recreate-table", fixPostgresIDSequences),
+ // v176 -> v177
+ NewMigration("Remove invalid labels from comments", removeInvalidLabels),
}
// GetCurrentDBVersion returns the current db version
diff --git a/models/migrations/v176.go b/models/migrations/v176.go
new file mode 100644
index 0000000000..ff6587508d
--- /dev/null
+++ b/models/migrations/v176.go
@@ -0,0 +1,74 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+ "xorm.io/xorm"
+)
+
+func removeInvalidLabels(x *xorm.Engine) error {
+ type Comment struct {
+ ID int64 `xorm:"pk autoincr"`
+ Type int `xorm:"INDEX"`
+ IssueID int64 `xorm:"INDEX"`
+ LabelID int64
+ }
+
+ type Issue struct {
+ ID int64 `xorm:"pk autoincr"`
+ RepoID int64 `xorm:"INDEX UNIQUE(repo_index)"`
+ Index int64 `xorm:"UNIQUE(repo_index)"` // Index in one repository.
+ }
+
+ type Repository struct {
+ ID int64 `xorm:"pk autoincr"`
+ OwnerID int64 `xorm:"UNIQUE(s) index"`
+ LowerName string `xorm:"UNIQUE(s) INDEX NOT NULL"`
+ }
+
+ type Label struct {
+ ID int64 `xorm:"pk autoincr"`
+ RepoID int64 `xorm:"INDEX"`
+ OrgID int64 `xorm:"INDEX"`
+ }
+
+ type IssueLabel struct {
+ ID int64 `xorm:"pk autoincr"`
+ IssueID int64 `xorm:"UNIQUE(s)"`
+ LabelID int64 `xorm:"UNIQUE(s)"`
+ }
+
+ if err := x.Sync2(new(Comment), new(Issue), new(Repository), new(Label), new(IssueLabel)); err != nil {
+ return err
+ }
+
+ if _, err := x.Exec(`DELETE FROM issue_label WHERE issue_label.id IN (
+ SELECT il_too.id FROM (
+ SELECT il_too_too.id
+ FROM issue_label AS il_too_too
+ INNER JOIN label ON il_too_too.id = label.id
+ INNER JOIN issue on issue.id = il_too_too.issue_id
+ INNER JOIN repository on repository.id = issue.repo_id
+ WHERE
+ issue.repo_id != label.repo_id OR (label.repo_id = 0 AND label.org_id != repository.owner_id)
+ ) AS il_too )`); err != nil {
+ return err
+ }
+
+ if _, err := x.Exec(`DELETE FROM comment WHERE comment.id IN (
+ SELECT il_too.id FROM (
+ SELECT com.id
+ FROM comment AS com
+ INNER JOIN label ON com.label_id = label.id
+ INNER JOIN issue on issue.id = com.issue_id
+ INNER JOIN repository on repository.id = issue.repo_id
+ WHERE
+ com.type = ? AND (issue.repo_id != label.repo_id OR (label.repo_id = 0 AND label.org_id != repository.owner_id))
+ ) AS il_too)`, 7); err != nil {
+ return err
+ }
+
+ return nil
+}