summaryrefslogtreecommitdiffstats
path: root/routers/api
diff options
context:
space:
mode:
authorqwerty287 <80460567+qwerty287@users.noreply.github.com>2022-04-28 17:45:33 +0200
committerGitHub <noreply@github.com>2022-04-28 17:45:33 +0200
commit8eb1cd9264af9493e0f57a4a4c0a1f764f7cefcf (patch)
tree46049742d086daa7683db502883a58e94370a583 /routers/api
parent92dfbada3793fc2be23d38783d6842eac9825f58 (diff)
downloadgitea-8eb1cd9264af9493e0f57a4a4c0a1f764f7cefcf.tar.gz
gitea-8eb1cd9264af9493e0f57a4a4c0a1f764f7cefcf.zip
Add "Allow edits from maintainer" feature (#18002)
Adds a feature [like GitHub has](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork) (step 7). If you create a new PR from a forked repo, you can select (and change later, but only if you are the PR creator/poster) the "Allow edits from maintainers" option. Then users with write access to the base branch get more permissions on this branch: * use the update pull request button * push directly from the command line (`git push`) * edit/delete/upload files via web UI * use related API endpoints You can't merge PRs to this branch with this enabled, you'll need "full" code write permissions. This feature has a pretty big impact on the permission system. I might forgot changing some things or didn't find security vulnerabilities. In this case, please leave a review or comment on this PR. Closes #17728 Co-authored-by: 6543 <6543@obermui.de>
Diffstat (limited to 'routers/api')
-rw-r--r--routers/api/v1/api.go17
-rw-r--r--routers/api/v1/repo/file.go10
-rw-r--r--routers/api/v1/repo/patch.go2
-rw-r--r--routers/api/v1/repo/pull.go12
4 files changed, 32 insertions, 9 deletions
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index cca0f37ba1..782500e6c8 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -283,6 +283,15 @@ func reqRepoWriter(unitTypes ...unit.Type) func(ctx *context.APIContext) {
}
}
+// reqRepoBranchWriter user should have a permission to write to a branch, or be a site admin
+func reqRepoBranchWriter(ctx *context.APIContext) {
+ options, ok := web.GetForm(ctx).(api.FileOptionInterface)
+ if !ok || (!ctx.Repo.CanWriteToBranch(ctx.Doer, options.Branch()) && !ctx.IsUserSiteAdmin()) {
+ ctx.Error(http.StatusForbidden, "reqRepoBranchWriter", "user should have a permission to write to this branch")
+ return
+ }
+}
+
// reqRepoReader user should have specific read permission or be a repo admin or a site admin
func reqRepoReader(unitType unit.Type) func(ctx *context.APIContext) {
return func(ctx *context.APIContext) {
@@ -1021,10 +1030,10 @@ func Routes() *web.Route {
m.Get("", repo.GetContentsList)
m.Get("/*", repo.GetContents)
m.Group("/*", func() {
- m.Post("", bind(api.CreateFileOptions{}), repo.CreateFile)
- m.Put("", bind(api.UpdateFileOptions{}), repo.UpdateFile)
- m.Delete("", bind(api.DeleteFileOptions{}), repo.DeleteFile)
- }, reqRepoWriter(unit.TypeCode), reqToken())
+ m.Post("", bind(api.CreateFileOptions{}), reqRepoBranchWriter, repo.CreateFile)
+ m.Put("", bind(api.UpdateFileOptions{}), reqRepoBranchWriter, repo.UpdateFile)
+ m.Delete("", bind(api.DeleteFileOptions{}), reqRepoBranchWriter, repo.DeleteFile)
+ }, reqToken())
}, reqRepoReader(unit.TypeCode))
m.Get("/signing-key.gpg", misc.SigningKey)
m.Group("/topics", func() {
diff --git a/routers/api/v1/repo/file.go b/routers/api/v1/repo/file.go
index d907e770ae..b8b72f95eb 100644
--- a/routers/api/v1/repo/file.go
+++ b/routers/api/v1/repo/file.go
@@ -173,8 +173,10 @@ func GetEditorconfig(ctx *context.APIContext) {
}
// canWriteFiles returns true if repository is editable and user has proper access level.
-func canWriteFiles(r *context.Repository) bool {
- return r.Permission.CanWrite(unit.TypeCode) && !r.Repository.IsMirror && !r.Repository.IsArchived
+func canWriteFiles(ctx *context.APIContext, branch string) bool {
+ return ctx.Repo.Permission.CanWriteToBranch(ctx.Doer, branch) &&
+ !ctx.Repo.Repository.IsMirror &&
+ !ctx.Repo.Repository.IsArchived
}
// canReadFiles returns true if repository is readable and user has proper access level.
@@ -376,7 +378,7 @@ func handleCreateOrUpdateFileError(ctx *context.APIContext, err error) {
// Called from both CreateFile or UpdateFile to handle both
func createOrUpdateFile(ctx *context.APIContext, opts *files_service.UpdateRepoFileOptions) (*api.FileResponse, error) {
- if !canWriteFiles(ctx.Repo) {
+ if !canWriteFiles(ctx, opts.OldBranch) {
return nil, models.ErrUserDoesNotHaveAccessToRepo{
UserID: ctx.Doer.ID,
RepoName: ctx.Repo.Repository.LowerName,
@@ -433,7 +435,7 @@ func DeleteFile(ctx *context.APIContext) {
// "$ref": "#/responses/error"
apiOpts := web.GetForm(ctx).(*api.DeleteFileOptions)
- if !canWriteFiles(ctx.Repo) {
+ if !canWriteFiles(ctx, apiOpts.BranchName) {
ctx.Error(http.StatusForbidden, "DeleteFile", models.ErrUserDoesNotHaveAccessToRepo{
UserID: ctx.Doer.ID,
RepoName: ctx.Repo.Repository.LowerName,
diff --git a/routers/api/v1/repo/patch.go b/routers/api/v1/repo/patch.go
index ae64c6efe3..6dbf979701 100644
--- a/routers/api/v1/repo/patch.go
+++ b/routers/api/v1/repo/patch.go
@@ -77,7 +77,7 @@ func ApplyDiffPatch(ctx *context.APIContext) {
opts.Message = "apply-patch"
}
- if !canWriteFiles(ctx.Repo) {
+ if !canWriteFiles(ctx, apiOpts.BranchName) {
ctx.Error(http.StatusInternalServerError, "ApplyPatch", models.ErrUserDoesNotHaveAccessToRepo{
UserID: ctx.Doer.ID,
RepoName: ctx.Repo.Repository.LowerName,
diff --git a/routers/api/v1/repo/pull.go b/routers/api/v1/repo/pull.go
index 6b076eff8f..9517802183 100644
--- a/routers/api/v1/repo/pull.go
+++ b/routers/api/v1/repo/pull.go
@@ -616,6 +616,18 @@ func EditPullRequest(ctx *context.APIContext) {
notification.NotifyPullRequestChangeTargetBranch(ctx.Doer, pr, form.Base)
}
+ // update allow edits
+ if form.AllowMaintainerEdit != nil {
+ if err := pull_service.SetAllowEdits(ctx, ctx.Doer, pr, *form.AllowMaintainerEdit); err != nil {
+ if errors.Is(pull_service.ErrUserHasNoPermissionForAction, err) {
+ ctx.Error(http.StatusForbidden, "SetAllowEdits", fmt.Sprintf("SetAllowEdits: %s", err))
+ return
+ }
+ ctx.ServerError("SetAllowEdits", err)
+ return
+ }
+ }
+
// Refetch from database
pr, err = models.GetPullRequestByIndex(ctx.Repo.Repository.ID, pr.Index)
if err != nil {