summaryrefslogtreecommitdiffstats
path: root/modules/convert
diff options
context:
space:
mode:
authorpricly-yellow <79628427+pricly-yellow@users.noreply.github.com>2021-10-07 07:03:37 +0700
committerGitHub <noreply@github.com>2021-10-07 02:03:37 +0200
commit4afdb1eb78ce77fad8e1d2952c69b3315a836548 (patch)
treece3c95b6bdf61da50fc0773e8ca3a5f3be73b8a0 /modules/convert
parent67bc04fe21e279805f2f4163791e28272e8133b1 (diff)
downloadgitea-4afdb1eb78ce77fad8e1d2952c69b3315a836548.tar.gz
gitea-4afdb1eb78ce77fad8e1d2952c69b3315a836548.zip
API pull's head/base have correct permission (#17214)
close #17181 * for all pull requests API return permissions of caller * for all webhook return empty permissions Signed-off-by: Danila Kryukov <pricly_yellow@dismail.de> Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: 6543 <6543@obermui.de>
Diffstat (limited to 'modules/convert')
-rw-r--r--modules/convert/pull.go18
-rw-r--r--modules/convert/pull_test.go6
2 files changed, 18 insertions, 6 deletions
diff --git a/modules/convert/pull.go b/modules/convert/pull.go
index 6c5d15c82e..ab17c13421 100644
--- a/modules/convert/pull.go
+++ b/modules/convert/pull.go
@@ -17,7 +17,7 @@ import (
// ToAPIPullRequest assumes following fields have been assigned with valid values:
// Required - Issue
// Optional - Merger
-func ToAPIPullRequest(pr *models.PullRequest) *api.PullRequest {
+func ToAPIPullRequest(pr *models.PullRequest, doer *models.User) *api.PullRequest {
var (
baseBranch *git.Branch
headBranch *git.Branch
@@ -41,6 +41,12 @@ func ToAPIPullRequest(pr *models.PullRequest) *api.PullRequest {
return nil
}
+ perm, err := models.GetUserRepoPermission(pr.BaseRepo, doer)
+ if err != nil {
+ log.Error("GetUserRepoPermission[%d]: %v", pr.BaseRepoID, err)
+ perm.AccessMode = models.AccessModeNone
+ }
+
apiPullRequest := &api.PullRequest{
ID: pr.ID,
URL: pr.Issue.HTMLURL(),
@@ -68,7 +74,7 @@ func ToAPIPullRequest(pr *models.PullRequest) *api.PullRequest {
Name: pr.BaseBranch,
Ref: pr.BaseBranch,
RepoID: pr.BaseRepoID,
- Repository: ToRepo(pr.BaseRepo, models.AccessModeNone),
+ Repository: ToRepo(pr.BaseRepo, perm.AccessMode),
},
Head: &api.PRBranchInfo{
Name: pr.HeadBranch,
@@ -114,8 +120,14 @@ func ToAPIPullRequest(pr *models.PullRequest) *api.PullRequest {
}
if pr.HeadRepo != nil && pr.Flow == models.PullRequestFlowGithub {
+ perm, err := models.GetUserRepoPermission(pr.HeadRepo, doer)
+ if err != nil {
+ log.Error("GetUserRepoPermission[%d]: %v", pr.HeadRepoID, err)
+ perm.AccessMode = models.AccessModeNone
+ }
+
apiPullRequest.Head.RepoID = pr.HeadRepo.ID
- apiPullRequest.Head.Repository = ToRepo(pr.HeadRepo, models.AccessModeNone)
+ apiPullRequest.Head.Repository = ToRepo(pr.HeadRepo, perm.AccessMode)
headGitRepo, err := git.OpenRepository(pr.HeadRepo.RepoPath())
if err != nil {
diff --git a/modules/convert/pull_test.go b/modules/convert/pull_test.go
index 655fc76329..a2b1e12a37 100644
--- a/modules/convert/pull_test.go
+++ b/modules/convert/pull_test.go
@@ -21,14 +21,14 @@ func TestPullRequest_APIFormat(t *testing.T) {
pr := db.AssertExistsAndLoadBean(t, &models.PullRequest{ID: 1}).(*models.PullRequest)
assert.NoError(t, pr.LoadAttributes())
assert.NoError(t, pr.LoadIssue())
- apiPullRequest := ToAPIPullRequest(pr)
+ apiPullRequest := ToAPIPullRequest(pr, nil)
assert.NotNil(t, apiPullRequest)
assert.EqualValues(t, &structs.PRBranchInfo{
Name: "branch1",
Ref: "refs/pull/2/head",
Sha: "4a357436d925b5c974181ff12a994538ddc5a269",
RepoID: 1,
- Repository: ToRepo(headRepo, models.AccessModeNone),
+ Repository: ToRepo(headRepo, models.AccessModeRead),
}, apiPullRequest.Head)
//withOut HeadRepo
@@ -38,7 +38,7 @@ func TestPullRequest_APIFormat(t *testing.T) {
// simulate fork deletion
pr.HeadRepo = nil
pr.HeadRepoID = 100000
- apiPullRequest = ToAPIPullRequest(pr)
+ apiPullRequest = ToAPIPullRequest(pr, nil)
assert.NotNil(t, apiPullRequest)
assert.Nil(t, apiPullRequest.Head.Repository)
assert.EqualValues(t, -1, apiPullRequest.Head.RepoID)