diff options
author | pricly-yellow <79628427+pricly-yellow@users.noreply.github.com> | 2021-10-07 07:03:37 +0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-10-07 02:03:37 +0200 |
commit | 4afdb1eb78ce77fad8e1d2952c69b3315a836548 (patch) | |
tree | ce3c95b6bdf61da50fc0773e8ca3a5f3be73b8a0 /modules/convert | |
parent | 67bc04fe21e279805f2f4163791e28272e8133b1 (diff) | |
download | gitea-4afdb1eb78ce77fad8e1d2952c69b3315a836548.tar.gz gitea-4afdb1eb78ce77fad8e1d2952c69b3315a836548.zip |
API pull's head/base have correct permission (#17214)
close #17181
* for all pull requests API return permissions of caller
* for all webhook return empty permissions
Signed-off-by: Danila Kryukov <pricly_yellow@dismail.de>
Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: 6543 <6543@obermui.de>
Diffstat (limited to 'modules/convert')
-rw-r--r-- | modules/convert/pull.go | 18 | ||||
-rw-r--r-- | modules/convert/pull_test.go | 6 |
2 files changed, 18 insertions, 6 deletions
diff --git a/modules/convert/pull.go b/modules/convert/pull.go index 6c5d15c82e..ab17c13421 100644 --- a/modules/convert/pull.go +++ b/modules/convert/pull.go @@ -17,7 +17,7 @@ import ( // ToAPIPullRequest assumes following fields have been assigned with valid values: // Required - Issue // Optional - Merger -func ToAPIPullRequest(pr *models.PullRequest) *api.PullRequest { +func ToAPIPullRequest(pr *models.PullRequest, doer *models.User) *api.PullRequest { var ( baseBranch *git.Branch headBranch *git.Branch @@ -41,6 +41,12 @@ func ToAPIPullRequest(pr *models.PullRequest) *api.PullRequest { return nil } + perm, err := models.GetUserRepoPermission(pr.BaseRepo, doer) + if err != nil { + log.Error("GetUserRepoPermission[%d]: %v", pr.BaseRepoID, err) + perm.AccessMode = models.AccessModeNone + } + apiPullRequest := &api.PullRequest{ ID: pr.ID, URL: pr.Issue.HTMLURL(), @@ -68,7 +74,7 @@ func ToAPIPullRequest(pr *models.PullRequest) *api.PullRequest { Name: pr.BaseBranch, Ref: pr.BaseBranch, RepoID: pr.BaseRepoID, - Repository: ToRepo(pr.BaseRepo, models.AccessModeNone), + Repository: ToRepo(pr.BaseRepo, perm.AccessMode), }, Head: &api.PRBranchInfo{ Name: pr.HeadBranch, @@ -114,8 +120,14 @@ func ToAPIPullRequest(pr *models.PullRequest) *api.PullRequest { } if pr.HeadRepo != nil && pr.Flow == models.PullRequestFlowGithub { + perm, err := models.GetUserRepoPermission(pr.HeadRepo, doer) + if err != nil { + log.Error("GetUserRepoPermission[%d]: %v", pr.HeadRepoID, err) + perm.AccessMode = models.AccessModeNone + } + apiPullRequest.Head.RepoID = pr.HeadRepo.ID - apiPullRequest.Head.Repository = ToRepo(pr.HeadRepo, models.AccessModeNone) + apiPullRequest.Head.Repository = ToRepo(pr.HeadRepo, perm.AccessMode) headGitRepo, err := git.OpenRepository(pr.HeadRepo.RepoPath()) if err != nil { diff --git a/modules/convert/pull_test.go b/modules/convert/pull_test.go index 655fc76329..a2b1e12a37 100644 --- a/modules/convert/pull_test.go +++ b/modules/convert/pull_test.go @@ -21,14 +21,14 @@ func TestPullRequest_APIFormat(t *testing.T) { pr := db.AssertExistsAndLoadBean(t, &models.PullRequest{ID: 1}).(*models.PullRequest) assert.NoError(t, pr.LoadAttributes()) assert.NoError(t, pr.LoadIssue()) - apiPullRequest := ToAPIPullRequest(pr) + apiPullRequest := ToAPIPullRequest(pr, nil) assert.NotNil(t, apiPullRequest) assert.EqualValues(t, &structs.PRBranchInfo{ Name: "branch1", Ref: "refs/pull/2/head", Sha: "4a357436d925b5c974181ff12a994538ddc5a269", RepoID: 1, - Repository: ToRepo(headRepo, models.AccessModeNone), + Repository: ToRepo(headRepo, models.AccessModeRead), }, apiPullRequest.Head) //withOut HeadRepo @@ -38,7 +38,7 @@ func TestPullRequest_APIFormat(t *testing.T) { // simulate fork deletion pr.HeadRepo = nil pr.HeadRepoID = 100000 - apiPullRequest = ToAPIPullRequest(pr) + apiPullRequest = ToAPIPullRequest(pr, nil) assert.NotNil(t, apiPullRequest) assert.Nil(t, apiPullRequest.Head.Repository) assert.EqualValues(t, -1, apiPullRequest.Head.RepoID) |