forgejo

luckyimnotanigger/forgejo

Fork 0

mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-04-25 09:06:20 +00:00

Commit graph

Author SHA1 Message Date

Author	SHA1	Message	Date
Gusted	d7e483fd52	[v7.0/forgejo] fix: consider public issues for project boards (#7143 ) (#7145 ) Some checks failed testing / test-unit (push) Has been skipped Details testing / test-mysql (push) Has been skipped Details testing / backend-checks (push) Has been skipped Details testing / frontend-checks (push) Has been skipped Details testing / test-pgsql (push) Has been skipped Details testing / test-sqlite (push) Has been skipped Details / release (push) Has been cancelled Details Backport: https://codeberg.org/forgejo/forgejo/pulls/7143 - The security patch of forgejo/forgejo#6843 fixed the issue where project boards loaded all issues without considering if the doer actually had permission to view that issue. Within that patch the call to `Issues` was modified to include this permission checking. - The query being generated was not entirely correct. Issues in public repositories weren't considered correctly (partly the fault of not setting `AllPublic` unconditionally) in the cause an authenticated user loaded the project. - This is now fixed by setting `AllPublic` unconditionally and subsequently fixing the `Issue` function to ensure that the combination of setting `AllPublic` and `User` generates the correct query, by combining the permission check and issues in public repositories as one `AND` query. - Added unit testing. - Added integration testing. - Resolves Codeberg/Community#1809 - Regression of https://codeberg.org/forgejo/forgejo/pulls/6843 (cherry picked from commit `a2958f5a26`) Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7145 Reviewed-by: Otto <otto@codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz>	2025-03-07 00:20:25 +00:00
Gusted	4159529a06	fix(sec): add tests for private issues on projects - Add integration and unit tests to ensure that private issues on projects are not shown in any way, shape or form when the doer has no access to it. (cherry picked from commit 55dcc1d06cb12ddb750a0289fbb6e212f93957a8)	2025-02-05 22:29:24 +00:00

Gusted

d7e483fd52

[v7.0/forgejo] fix: consider public issues for project boards (#7143 ) (#7145 )

testing / test-unit (push) Has been skipped

Details

testing / test-mysql (push) Has been skipped

Details

testing / backend-checks (push) Has been skipped

Details

testing / frontend-checks (push) Has been skipped

Details

testing / test-pgsql (push) Has been skipped

Details

testing / test-sqlite (push) Has been skipped

Details

/ release (push) Has been cancelled

Details

**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7143

- The security patch of forgejo/forgejo#6843 fixed the issue where project boards loaded all issues without considering if the doer actually had permission to view that issue. Within that patch the call to `Issues` was modified to include this permission checking.
- The query being generated was not entirely correct. Issues in public repositories weren't considered correctly (partly the fault of not setting `AllPublic` unconditionally) in the cause an authenticated user loaded the project.
- This is now fixed by setting `AllPublic` unconditionally and subsequently fixing the `Issue` function to ensure that the combination of setting `AllPublic` and `User` generates the correct query, by combining the permission check and issues in public repositories as one `AND` query.
- Added unit testing.
- Added integration testing.
- Resolves Codeberg/Community#1809
- Regression of https://codeberg.org/forgejo/forgejo/pulls/6843

(cherry picked from commit a2958f5a26)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7145
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>

2025-03-07 00:20:25 +00:00

Gusted

4159529a06

fix(sec): add tests for private issues on projects

- Add integration and unit tests to ensure that private issues on
projects are not shown in any way, shape or form when the doer has no
access to it.

(cherry picked from commit 55dcc1d06cb12ddb750a0289fbb6e212f93957a8)

2025-02-05 22:29:24 +00:00

2 commits