luckyimnotanigger/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-06-01 20:32:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

Fix comment permissions (#28213)

Browse source 
This PR will fix some missed checks for private repositories' data on
web routes and API routes.
This commit is contained in:
Lunny Xiao 2023-11-26 01:21:21 +08:00 committed by GitHub
parent 80217cacfc
commit 882e502327
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
34 changed files with 417 additions and 105 deletions
Download patch file Download diff file Expand all files Collapse all files

20
routers/api/v1/repo/issue_reaction.go
View file

@ -61,6 +61,12 @@ func GetIssueCommentReactions(ctx *context.APIContext) {
if err := comment.LoadIssue(ctx); err != nil {
ctx.Error(http.StatusInternalServerError, "comment.LoadIssue", err)
return
}
if comment.Issue.RepoID != ctx.Repo.Repository.ID {
ctx.NotFound()
return
}
if !ctx.Repo.CanReadIssuesOrPulls(comment.Issue.IsPull) {
@ -190,9 +196,19 @@ func changeIssueCommentReaction(ctx *context.APIContext, form api.EditReactionOp
return
}
err = comment.LoadIssue(ctx)
if err != nil {
if err = comment.LoadIssue(ctx); err != nil {
ctx.Error(http.StatusInternalServerError, "comment.LoadIssue() failed", err)
return
}
if comment.Issue.RepoID != ctx.Repo.Repository.ID {
ctx.NotFound()
return
}
if !ctx.Repo.CanReadIssuesOrPulls(comment.Issue.IsPull) {
ctx.NotFound()
return
}
if comment.Issue.IsLocked && !ctx.Repo.CanWriteIssuesOrPulls(comment.Issue.IsPull) {