diff options
| author | Lunny Xiao <xiaolunwen@gmail.com> | 2022-06-30 23:55:08 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-06-30 23:55:08 +0800 |
| commit | 184a7d4195baffb169f24f4e9a4524f8d4045e91 (patch) | |
| tree | b7d620626be91e789115d41d9829518e4119c4a1 /routers/web/repo/issue.go | |
| parent | db3355cb1aa206fc9f1cf786543607204f628218 (diff) | |
| download | gitea-184a7d4195baffb169f24f4e9a4524f8d4045e91.tar.gz gitea-184a7d4195baffb169f24f4e9a4524f8d4045e91.zip | |
Check if project has the same repository id with issue when assign project to issue (#20133)
* Check if project has the same repository id with issue when assign project to issue
* Check if issue's repository id match project's repository id
* Add more permission checking
* Remove invalid argument
* Fix errors
* Add generic check
* Remove duplicated check
* Return error + add check for new issues
* Apply suggestions from code review
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: Gusted <williamzijl7@hotmail.com>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: 6543 <6543@obermui.de>
Diffstat (limited to 'routers/web/repo/issue.go')
| -rw-r--r-- | routers/web/repo/issue.go | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go index 5b72ff79af..e6f9529e31 100644 --- a/routers/web/repo/issue.go +++ b/routers/web/repo/issue.go @@ -803,7 +803,8 @@ func NewIssue(ctx *context.Context) { body := ctx.FormString("body") ctx.Data["BodyQuery"] = body - ctx.Data["IsProjectsEnabled"] = ctx.Repo.CanRead(unit.TypeProjects) + isProjectsEnabled := ctx.Repo.CanRead(unit.TypeProjects) + ctx.Data["IsProjectsEnabled"] = isProjectsEnabled ctx.Data["IsAttachmentEnabled"] = setting.Attachment.Enabled upload.AddUploadContext(ctx, "comment") @@ -819,7 +820,7 @@ func NewIssue(ctx *context.Context) { } projectID := ctx.FormInt64("project") - if projectID > 0 { + if projectID > 0 && isProjectsEnabled { project, err := project_model.GetProjectByID(ctx, projectID) if err != nil { log.Error("GetProjectByID: %d: %v", projectID, err) @@ -1043,6 +1044,11 @@ func NewIssuePost(ctx *context.Context) { } if projectID > 0 { + if !ctx.Repo.CanRead(unit.TypeProjects) { + // User must also be able to see the project. + ctx.Error(http.StatusBadRequest, "user hasn't permissions to read projects") + return + } if err := issues_model.ChangeProjectAssign(issue, ctx.Doer, projectID); err != nil { ctx.ServerError("ChangeProjectAssign", err) return @@ -1783,6 +1789,10 @@ func getActionIssues(ctx *context.Context) []*issues_model.Issue { issueUnitEnabled := ctx.Repo.CanRead(unit.TypeIssues) prUnitEnabled := ctx.Repo.CanRead(unit.TypePullRequests) for _, issue := range issues { + if issue.RepoID != ctx.Repo.Repository.ID { + ctx.NotFound("some issue's RepoID is incorrect", errors.New("some issue's RepoID is incorrect")) + return nil + } if issue.IsPull && !prUnitEnabled || !issue.IsPull && !issueUnitEnabled { ctx.NotFound("IssueOrPullRequestUnitNotAllowed", nil) return nil |