From 940ed923920ae662efa6967679e60297832c4af8 Mon Sep 17 00:00:00 2001 From: Kyle Evans Date: Sun, 3 May 2020 04:07:04 -0500 Subject: repo: milestone: make /milestone/:id endpoint accessible (#11264) Previously, this required authentication, but there's not actually any privileged information on this page. Move the endpoint out of the group that requires sign-in. It still requires the ability to read issues and pull requests, so private repositories (for instance) will not be exposed. Fixes #10312 Fixes #11233 --- routers/routes/routes.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'routers') diff --git a/routers/routes/routes.go b/routers/routes/routes.go index a7828885bf..f3bd42f02a 100644 --- a/routers/routes/routes.go +++ b/routers/routes/routes.go @@ -704,6 +704,14 @@ func RegisterRoutes(m *macaron.Macaron) { m.Post("/:username/:reponame/action/:action", reqSignIn, context.RepoAssignment(), context.UnitTypes(), repo.Action) + // Grouping for those endpoints not requiring authentication + m.Group("/:username/:reponame", func() { + m.Group("/milestone", func() { + m.Get("/:id", repo.MilestoneIssuesAndPulls) + }, reqRepoIssuesOrPullsReader, context.RepoRef()) + }, context.RepoAssignment(), context.UnitTypes()) + + // Grouping for those endpoints that do require authentication m.Group("/:username/:reponame", func() { m.Group("/issues", func() { m.Combo("/new").Get(context.RepoRef(), repo.NewIssue). @@ -761,9 +769,6 @@ func RegisterRoutes(m *macaron.Macaron) { m.Post("/:id/:action", repo.ChangeMilestonStatus) m.Post("/delete", repo.DeleteMilestone) }, context.RepoMustNotBeArchived(), reqRepoIssuesOrPullsWriter, context.RepoRef()) - m.Group("/milestone", func() { - m.Get("/:id", repo.MilestoneIssuesAndPulls) - }, reqRepoIssuesOrPullsReader, context.RepoRef()) m.Combo("/compare/*", repo.MustBeNotEmpty, reqRepoCodeReader, repo.SetEditorconfigIfExists). Get(repo.SetDiffViewStyle, repo.CompareDiff). Post(context.RepoMustNotBeArchived(), reqRepoPullsReader, repo.MustAllowPulls, bindIgnErr(auth.CreateIssueForm{}), repo.CompareAndPullRequestPost) -- cgit v1.2.3