aboutsummaryrefslogtreecommitdiffstats
path: root/modules
diff options
context:
space:
mode:
authorLunny Xiao <xiaolunwen@gmail.com>2020-01-20 20:00:32 +0800
committerAntoine GIRARD <sapk@users.noreply.github.com>2020-01-20 13:00:32 +0100
commit6d6f1d568ec36786b1020f4b43cbd872228c6633 (patch)
tree8aa01b789a6737644eeb1512887355357b1ed0a0 /modules
parent81cfe243f9cb90b0a75de7a03bb2d264c97f0036 (diff)
downloadgitea-6d6f1d568ec36786b1020f4b43cbd872228c6633.tar.gz
gitea-6d6f1d568ec36786b1020f4b43cbd872228c6633.zip
Fix wrong permissions check when issues/prs shared operations (#9885)
* Fix wrong permissions check when issues/prs shared operations * move redirect to the last of the function * fix swagger Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv>
Diffstat (limited to 'modules')
-rw-r--r--modules/context/repo.go2
-rw-r--r--modules/repofiles/action.go4
2 files changed, 3 insertions, 3 deletions
diff --git a/modules/context/repo.go b/modules/context/repo.go
index 3815fc8cea..1f6e5037cc 100644
--- a/modules/context/repo.go
+++ b/modules/context/repo.go
@@ -134,7 +134,7 @@ func (r *Repository) CanUseTimetracker(issue *models.Issue, user *models.User) b
// 2. Is the user a contributor, admin, poster or assignee and do the repository policies require this?
isAssigned, _ := models.IsUserAssignedToIssue(issue, user)
return r.Repository.IsTimetrackerEnabled() && (!r.Repository.AllowOnlyContributorsToTrackTime() ||
- r.Permission.CanWrite(models.UnitTypeIssues) || issue.IsPoster(user.ID) || isAssigned)
+ r.Permission.CanWriteIssuesOrPulls(issue.IsPull) || issue.IsPoster(user.ID) || isAssigned)
}
// CanCreateIssueDependencies returns whether or not a user can create dependencies.
diff --git a/modules/repofiles/action.go b/modules/repofiles/action.go
index 3be6509bc2..a1c2bd993f 100644
--- a/modules/repofiles/action.go
+++ b/modules/repofiles/action.go
@@ -104,8 +104,8 @@ func UpdateIssuesCommit(doer *models.User, repo *models.Repository, commits []*r
refMarked[key] = true
// FIXME: this kind of condition is all over the code, it should be consolidated in a single place
- canclose := perm.IsAdmin() || perm.IsOwner() || perm.CanWrite(models.UnitTypeIssues) || refIssue.PosterID == doer.ID
- cancomment := canclose || perm.CanRead(models.UnitTypeIssues)
+ canclose := perm.IsAdmin() || perm.IsOwner() || perm.CanWriteIssuesOrPulls(refIssue.IsPull) || refIssue.PosterID == doer.ID
+ cancomment := canclose || perm.CanReadIssuesOrPulls(refIssue.IsPull)
// Don't proceed if the user can't comment
if !cancomment {