From 640f0e1ddf7a5cae8a778e989046e7438067a56c Mon Sep 17 00:00:00 2001
From: Gusted <williamzijl7@hotmail.com>
Date: Mon, 8 Nov 2021 16:45:37 +0100
Subject: Only allow returned deleted branche to be on repo (#17570)

- This will only allow `GetDeletedBranchByID` to return deletedBranch
which are on the repo, and thus don't return a deletedBranch from
another repo.
- This just should prevent possible bugs in the futher when a code is
passing the wrong ID into this function.
---
 models/branches.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'models/branches.go')

diff --git a/models/branches.go b/models/branches.go
index 3c62c7a87b..caca9e23fe 100644
--- a/models/branches.go
+++ b/models/branches.go
@@ -536,7 +536,7 @@ func (repo *Repository) GetDeletedBranches() ([]*DeletedBranch, error) {
 // GetDeletedBranchByID get a deleted branch by its ID
 func (repo *Repository) GetDeletedBranchByID(id int64) (*DeletedBranch, error) {
 	deletedBranch := &DeletedBranch{}
-	has, err := db.GetEngine(db.DefaultContext).ID(id).Get(deletedBranch)
+	has, err := db.GetEngine(db.DefaultContext).Where("repo_id = ?", repo.ID).And("id = ?", id).Get(deletedBranch)
 	if err != nil {
 		return nil, err
 	}
-- 
cgit v1.2.3