diff options
author | a1012112796 <1012112796@qq.com> | 2022-06-17 04:03:03 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-06-16 22:03:03 +0200 |
commit | e3e06d13afdd882ca5934fde77217ff9554354c4 (patch) | |
tree | 5f46b0277127af587f1aed139d15b024f9dae74d /routers/api/v1/repo | |
parent | 89b0aac37449cf7ccdfa52c6edbe537257228bc1 (diff) | |
download | gitea-e3e06d13afdd882ca5934fde77217ff9554354c4.tar.gz gitea-e3e06d13afdd882ca5934fde77217ff9554354c4.zip |
fix permission check for delete tag (#19985)
fix #19970
by the way, fix some error response about protected tags.
Signed-off-by: a1012112796 <1012112796@qq.com>
Diffstat (limited to 'routers/api/v1/repo')
-rw-r--r-- | routers/api/v1/repo/release.go | 6 | ||||
-rw-r--r-- | routers/api/v1/repo/release_tags.go | 7 | ||||
-rw-r--r-- | routers/api/v1/repo/tag.go | 14 |
3 files changed, 27 insertions, 0 deletions
diff --git a/routers/api/v1/repo/release.go b/routers/api/v1/repo/release.go index e454b418bb..8dfe7e06d2 100644 --- a/routers/api/v1/repo/release.go +++ b/routers/api/v1/repo/release.go @@ -345,6 +345,8 @@ func DeleteRelease(ctx *context.APIContext) { // "$ref": "#/responses/empty" // "404": // "$ref": "#/responses/notFound" + // "405": + // "$ref": "#/responses/empty" id := ctx.ParamsInt64(":id") rel, err := models.GetReleaseByID(ctx, id) @@ -358,6 +360,10 @@ func DeleteRelease(ctx *context.APIContext) { return } if err := release_service.DeleteReleaseByID(ctx, id, ctx.Doer, false); err != nil { + if models.IsErrProtectedTagName(err) { + ctx.Error(http.StatusMethodNotAllowed, "delTag", "user not allowed to delete protected tag") + return + } ctx.Error(http.StatusInternalServerError, "DeleteReleaseByID", err) return } diff --git a/routers/api/v1/repo/release_tags.go b/routers/api/v1/repo/release_tags.go index a737bcf1c8..73dee73e1a 100644 --- a/routers/api/v1/repo/release_tags.go +++ b/routers/api/v1/repo/release_tags.go @@ -92,6 +92,8 @@ func DeleteReleaseByTag(ctx *context.APIContext) { // "$ref": "#/responses/empty" // "404": // "$ref": "#/responses/notFound" + // "405": + // "$ref": "#/responses/empty" tag := ctx.Params(":tag") @@ -111,7 +113,12 @@ func DeleteReleaseByTag(ctx *context.APIContext) { } if err = releaseservice.DeleteReleaseByID(ctx, release.ID, ctx.Doer, false); err != nil { + if models.IsErrProtectedTagName(err) { + ctx.Error(http.StatusMethodNotAllowed, "delTag", "user not allowed to delete protected tag") + return + } ctx.Error(http.StatusInternalServerError, "DeleteReleaseByID", err) + return } ctx.Status(http.StatusNoContent) diff --git a/routers/api/v1/repo/tag.go b/routers/api/v1/repo/tag.go index 8942912754..433d823c7e 100644 --- a/routers/api/v1/repo/tag.go +++ b/routers/api/v1/repo/tag.go @@ -176,6 +176,8 @@ func CreateTag(ctx *context.APIContext) { // "$ref": "#/responses/Tag" // "404": // "$ref": "#/responses/notFound" + // "405": + // "$ref": "#/responses/empty" // "409": // "$ref": "#/responses/conflict" form := web.GetForm(ctx).(*api.CreateTagOption) @@ -196,6 +198,11 @@ func CreateTag(ctx *context.APIContext) { ctx.Error(http.StatusConflict, "tag exist", err) return } + if models.IsErrProtectedTagName(err) { + ctx.Error(http.StatusMethodNotAllowed, "CreateNewTag", "user not allowed to create protected tag") + return + } + ctx.InternalServerError(err) return } @@ -236,6 +243,8 @@ func DeleteTag(ctx *context.APIContext) { // "$ref": "#/responses/empty" // "404": // "$ref": "#/responses/notFound" + // "405": + // "$ref": "#/responses/empty" // "409": // "$ref": "#/responses/conflict" tagName := ctx.Params("*") @@ -256,7 +265,12 @@ func DeleteTag(ctx *context.APIContext) { } if err = releaseservice.DeleteReleaseByID(ctx, tag.ID, ctx.Doer, true); err != nil { + if models.IsErrProtectedTagName(err) { + ctx.Error(http.StatusMethodNotAllowed, "delTag", "user not allowed to delete protected tag") + return + } ctx.Error(http.StatusInternalServerError, "DeleteReleaseByID", err) + return } ctx.Status(http.StatusNoContent) |