diff options
| author | Lunny Xiao <xiaolunwen@gmail.com> | 2020-01-20 20:00:32 +0800 |
|---|---|---|
| committer | Antoine GIRARD <sapk@users.noreply.github.com> | 2020-01-20 13:00:32 +0100 |
| commit | 6d6f1d568ec36786b1020f4b43cbd872228c6633 (patch) | |
| tree | 8aa01b789a6737644eeb1512887355357b1ed0a0 /routers/repo | |
| parent | 81cfe243f9cb90b0a75de7a03bb2d264c97f0036 (diff) | |
| download | gitea-6d6f1d568ec36786b1020f4b43cbd872228c6633.tar.gz gitea-6d6f1d568ec36786b1020f4b43cbd872228c6633.zip | |
Fix wrong permissions check when issues/prs shared operations (#9885)
* Fix wrong permissions check when issues/prs shared operations
* move redirect to the last of the function
* fix swagger
Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: Lauris BH <lauris@nix.lv>
Diffstat (limited to 'routers/repo')
| -rw-r--r-- | routers/repo/issue.go | 9 | ||||
| -rw-r--r-- | routers/repo/issue_dependency.go | 6 |
2 files changed, 7 insertions, 8 deletions
diff --git a/routers/repo/issue.go b/routers/repo/issue.go index c2aa1a83bb..49481e7e2e 100644 --- a/routers/repo/issue.go +++ b/routers/repo/issue.go @@ -63,13 +63,12 @@ var ( // If locked and user has permissions to write to the repository, // then the comment is allowed, else it is blocked func MustAllowUserComment(ctx *context.Context) { - issue := GetActionIssue(ctx) if ctx.Written() { return } - if issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) && !ctx.User.IsAdmin { + if issue.IsLocked && !ctx.Repo.CanWriteIssuesOrPulls(issue.IsPull) && !ctx.User.IsAdmin { ctx.Flash.Error(ctx.Tr("repo.issues.comment_on_locked")) ctx.Redirect(issue.HTMLURL()) return @@ -344,7 +343,7 @@ func RetrieveRepoMilestonesAndAssignees(ctx *context.Context, repo *models.Repos // RetrieveRepoMetas find all the meta information of a repository func RetrieveRepoMetas(ctx *context.Context, repo *models.Repository, isPull bool) []*models.Label { - if !ctx.Repo.CanWrite(models.UnitTypeIssues) { + if !ctx.Repo.CanWriteIssuesOrPulls(isPull) { return nil } @@ -1022,7 +1021,6 @@ func ViewIssue(ctx *context.Context) { ctx.Data["IsIssuePoster"] = ctx.IsSigned && issue.IsPoster(ctx.User.ID) ctx.Data["IsIssueWriter"] = ctx.Repo.CanWriteIssuesOrPulls(issue.IsPull) ctx.Data["IsRepoAdmin"] = ctx.IsSigned && (ctx.Repo.IsAdmin() || ctx.User.IsAdmin) - ctx.Data["IsRepoIssuesWriter"] = ctx.IsSigned && (ctx.Repo.CanWrite(models.UnitTypeIssues) || ctx.User.IsAdmin) ctx.Data["LockReasons"] = setting.Repository.Issue.LockReasons ctx.HTML(200, tplIssueView) } @@ -1283,9 +1281,10 @@ func NewComment(ctx *context.Context, form auth.CreateCommentForm) { } ctx.Error(403) + return } - if issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) && !ctx.User.IsAdmin { + if issue.IsLocked && !ctx.Repo.CanWriteIssuesOrPulls(issue.IsPull) && !ctx.User.IsAdmin { ctx.Flash.Error(ctx.Tr("repo.issues.comment_on_locked")) ctx.Redirect(issue.HTMLURL(), http.StatusSeeOther) return diff --git a/routers/repo/issue_dependency.go b/routers/repo/issue_dependency.go index 055b5ed2af..8a83c7bae3 100644 --- a/routers/repo/issue_dependency.go +++ b/routers/repo/issue_dependency.go @@ -93,9 +93,6 @@ func RemoveDependency(ctx *context.Context) { return } - // Redirect - ctx.Redirect(issue.HTMLURL(), http.StatusSeeOther) - // Dependency Type depTypeStr := ctx.Req.PostForm.Get("dependencyType") @@ -126,4 +123,7 @@ func RemoveDependency(ctx *context.Context) { ctx.ServerError("RemoveIssueDependency", err) return } + + // Redirect + ctx.Redirect(issue.HTMLURL(), http.StatusSeeOther) } |