From 17053e953f697ba21e067f1ad7715b18e07e273b Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Tue, 3 Dec 2024 19:59:48 -0800 Subject: Fix delete branch perm checking (#32654) --- services/repository/branch.go | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) (limited to 'services/repository') diff --git a/services/repository/branch.go b/services/repository/branch.go index 600ba96e92..508817c83e 100644 --- a/services/repository/branch.go +++ b/services/repository/branch.go @@ -14,7 +14,9 @@ import ( "code.gitea.io/gitea/models/db" git_model "code.gitea.io/gitea/models/git" issues_model "code.gitea.io/gitea/models/issues" + access_model "code.gitea.io/gitea/models/perm/access" repo_model "code.gitea.io/gitea/models/repo" + "code.gitea.io/gitea/models/unit" user_model "code.gitea.io/gitea/models/user" "code.gitea.io/gitea/modules/cache" "code.gitea.io/gitea/modules/git" @@ -463,15 +465,17 @@ var ( ErrBranchIsDefault = errors.New("branch is default") ) -// DeleteBranch delete branch -func DeleteBranch(ctx context.Context, doer *user_model.User, repo *repo_model.Repository, gitRepo *git.Repository, branchName string) error { - err := repo.MustNotBeArchived() +func CanDeleteBranch(ctx context.Context, repo *repo_model.Repository, branchName string, doer *user_model.User) error { + if branchName == repo.DefaultBranch { + return ErrBranchIsDefault + } + + perm, err := access_model.GetUserRepoPermission(ctx, repo, doer) if err != nil { return err } - - if branchName == repo.DefaultBranch { - return ErrBranchIsDefault + if !perm.CanWrite(unit.TypeCode) { + return util.NewPermissionDeniedErrorf("permission denied to access repo %d unit %s", repo.ID, unit.TypeCode.LogString()) } isProtected, err := git_model.IsBranchProtected(ctx, repo.ID, branchName) @@ -481,6 +485,19 @@ func DeleteBranch(ctx context.Context, doer *user_model.User, repo *repo_model.R if isProtected { return git_model.ErrBranchIsProtected } + return nil +} + +// DeleteBranch delete branch +func DeleteBranch(ctx context.Context, doer *user_model.User, repo *repo_model.Repository, gitRepo *git.Repository, branchName string) error { + err := repo.MustNotBeArchived() + if err != nil { + return err + } + + if err := CanDeleteBranch(ctx, repo, branchName, doer); err != nil { + return err + } rawBranch, err := git_model.GetBranch(ctx, repo.ID, branchName) if err != nil && !git_model.IsErrBranchNotExist(err) { -- cgit v1.2.3