diff options
| author | wxiaoguang <wxiaoguang@gmail.com> | 2024-03-02 00:46:02 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-03-01 16:46:02 +0000 |
| commit | 4b8293aa094e725b372329a19da687a6d1550069 (patch) | |
| tree | 83be14d110992096e39dcfb171bf70e58941eeb0 /routers | |
| parent | 3b99066aa866e51e6a610716eaddfd1ea3645a67 (diff) | |
| download | gitea-4b8293aa094e725b372329a19da687a6d1550069.tar.gz gitea-4b8293aa094e725b372329a19da687a6d1550069.zip | |
Fix issue & comment history bugs (#29525)
* Follow #17746: `HasIssueContentHistory` should use expr builder to
make sure zero value (0) be respected.
* Add "doer" check to make sure `canSoftDeleteContentHistory` only be
called by sign-in users.
Diffstat (limited to 'routers')
| -rw-r--r-- | routers/web/repo/issue_content_history.go | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/routers/web/repo/issue_content_history.go b/routers/web/repo/issue_content_history.go index fce0eccc7b..1ec497658f 100644 --- a/routers/web/repo/issue_content_history.go +++ b/routers/web/repo/issue_content_history.go @@ -94,7 +94,7 @@ func canSoftDeleteContentHistory(ctx *context.Context, issue *issues_model.Issue // CanWrite means the doer can manage the issue/PR list if ctx.Repo.IsOwner() || ctx.Repo.CanWriteIssuesOrPulls(issue.IsPull) { canSoftDelete = true - } else { + } else if ctx.Doer != nil { // for read-only users, they could still post issues or comments, // they should be able to delete the history related to their own issue/comment, a case is: // 1. the user posts some sensitive data @@ -186,6 +186,10 @@ func SoftDeleteContentHistory(ctx *context.Context) { if ctx.Written() { return } + if ctx.Doer == nil { + ctx.NotFound("Require SignIn", nil) + return + } commentID := ctx.FormInt64("comment_id") historyID := ctx.FormInt64("history_id") |