diff options
author | Lunny Xiao <xiaolunwen@gmail.com> | 2020-01-20 20:00:32 +0800 |
---|---|---|
committer | Antoine GIRARD <sapk@users.noreply.github.com> | 2020-01-20 13:00:32 +0100 |
commit | 6d6f1d568ec36786b1020f4b43cbd872228c6633 (patch) | |
tree | 8aa01b789a6737644eeb1512887355357b1ed0a0 /modules | |
parent | 81cfe243f9cb90b0a75de7a03bb2d264c97f0036 (diff) | |
download | gitea-6d6f1d568ec36786b1020f4b43cbd872228c6633.tar.gz gitea-6d6f1d568ec36786b1020f4b43cbd872228c6633.zip |
Fix wrong permissions check when issues/prs shared operations (#9885)
* Fix wrong permissions check when issues/prs shared operations
* move redirect to the last of the function
* fix swagger
Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: Lauris BH <lauris@nix.lv>
Diffstat (limited to 'modules')
-rw-r--r-- | modules/context/repo.go | 2 | ||||
-rw-r--r-- | modules/repofiles/action.go | 4 |
2 files changed, 3 insertions, 3 deletions
diff --git a/modules/context/repo.go b/modules/context/repo.go index 3815fc8cea..1f6e5037cc 100644 --- a/modules/context/repo.go +++ b/modules/context/repo.go @@ -134,7 +134,7 @@ func (r *Repository) CanUseTimetracker(issue *models.Issue, user *models.User) b // 2. Is the user a contributor, admin, poster or assignee and do the repository policies require this? isAssigned, _ := models.IsUserAssignedToIssue(issue, user) return r.Repository.IsTimetrackerEnabled() && (!r.Repository.AllowOnlyContributorsToTrackTime() || - r.Permission.CanWrite(models.UnitTypeIssues) || issue.IsPoster(user.ID) || isAssigned) + r.Permission.CanWriteIssuesOrPulls(issue.IsPull) || issue.IsPoster(user.ID) || isAssigned) } // CanCreateIssueDependencies returns whether or not a user can create dependencies. diff --git a/modules/repofiles/action.go b/modules/repofiles/action.go index 3be6509bc2..a1c2bd993f 100644 --- a/modules/repofiles/action.go +++ b/modules/repofiles/action.go @@ -104,8 +104,8 @@ func UpdateIssuesCommit(doer *models.User, repo *models.Repository, commits []*r refMarked[key] = true // FIXME: this kind of condition is all over the code, it should be consolidated in a single place - canclose := perm.IsAdmin() || perm.IsOwner() || perm.CanWrite(models.UnitTypeIssues) || refIssue.PosterID == doer.ID - cancomment := canclose || perm.CanRead(models.UnitTypeIssues) + canclose := perm.IsAdmin() || perm.IsOwner() || perm.CanWriteIssuesOrPulls(refIssue.IsPull) || refIssue.PosterID == doer.ID + cancomment := canclose || perm.CanReadIssuesOrPulls(refIssue.IsPull) // Don't proceed if the user can't comment if !cancomment { |