Browse Source

Fix wrong permissions check when issues/prs shared operations (#9885)

* Fix wrong permissions check when issues/prs shared operations

* move redirect to the last of the function

* fix swagger

Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: Lauris BH <lauris@nix.lv>
for-closed-social
Lunny Xiao 4 years ago
committed by Antoine GIRARD
parent
commit
6d6f1d568e
11 changed files with 43 additions and 28 deletions
  1. +1
    -1
      modules/context/repo.go
  2. +2
    -2
      modules/repofiles/action.go
  3. +21
    -5
      routers/api/v1/repo/issue.go
  4. +1
    -1
      routers/api/v1/repo/issue_comment.go
  5. +2
    -2
      routers/api/v1/repo/issue_reaction.go
  6. +1
    -1
      routers/api/v1/repo/issue_stopwatch.go
  7. +4
    -5
      routers/repo/issue.go
  8. +3
    -3
      routers/repo/issue_dependency.go
  9. +1
    -7
      routers/routes/routes.go
  10. +1
    -1
      templates/repo/issue/view_content.tmpl
  11. +6
    -0
      templates/swagger/v1_json.tmpl

+ 1
- 1
modules/context/repo.go View File

@ -134,7 +134,7 @@ func (r *Repository) CanUseTimetracker(issue *models.Issue, user *models.User) b
// 2. Is the user a contributor, admin, poster or assignee and do the repository policies require this? // 2. Is the user a contributor, admin, poster or assignee and do the repository policies require this?
isAssigned, _ := models.IsUserAssignedToIssue(issue, user) isAssigned, _ := models.IsUserAssignedToIssue(issue, user)
return r.Repository.IsTimetrackerEnabled() && (!r.Repository.AllowOnlyContributorsToTrackTime() || return r.Repository.IsTimetrackerEnabled() && (!r.Repository.AllowOnlyContributorsToTrackTime() ||
r.Permission.CanWrite(models.UnitTypeIssues) || issue.IsPoster(user.ID) || isAssigned)
r.Permission.CanWriteIssuesOrPulls(issue.IsPull) || issue.IsPoster(user.ID) || isAssigned)
} }
// CanCreateIssueDependencies returns whether or not a user can create dependencies. // CanCreateIssueDependencies returns whether or not a user can create dependencies.

+ 2
- 2
modules/repofiles/action.go View File

@ -104,8 +104,8 @@ func UpdateIssuesCommit(doer *models.User, repo *models.Repository, commits []*r
refMarked[key] = true refMarked[key] = true
// FIXME: this kind of condition is all over the code, it should be consolidated in a single place // FIXME: this kind of condition is all over the code, it should be consolidated in a single place
canclose := perm.IsAdmin() || perm.IsOwner() || perm.CanWrite(models.UnitTypeIssues) || refIssue.PosterID == doer.ID
cancomment := canclose || perm.CanRead(models.UnitTypeIssues)
canclose := perm.IsAdmin() || perm.IsOwner() || perm.CanWriteIssuesOrPulls(refIssue.IsPull) || refIssue.PosterID == doer.ID
cancomment := canclose || perm.CanReadIssuesOrPulls(refIssue.IsPull)
// Don't proceed if the user can't comment // Don't proceed if the user can't comment
if !cancomment { if !cancomment {

+ 21
- 5
routers/api/v1/repo/issue.go View File

@ -206,6 +206,10 @@ func ListIssues(ctx *context.APIContext) {
// in: query // in: query
// description: search string // description: search string
// type: string // type: string
// - name: type
// in: query
// description: filter by type (issues / pulls) if set
// type: string
// responses: // responses:
// "200": // "200":
// "$ref": "#/responses/IssueList" // "$ref": "#/responses/IssueList"
@ -241,6 +245,16 @@ func ListIssues(ctx *context.APIContext) {
} }
} }
var isPull util.OptionalBool
switch ctx.Query("type") {
case "pulls":
isPull = util.OptionalBoolTrue
case "issues":
isPull = util.OptionalBoolFalse
default:
isPull = util.OptionalBoolNone
}
// Only fetch the issues if we either don't have a keyword or the search returned issues // Only fetch the issues if we either don't have a keyword or the search returned issues
// This would otherwise return all issues if no issues were found by the search. // This would otherwise return all issues if no issues were found by the search.
if len(keyword) == 0 || len(issueIDs) > 0 || len(labelIDs) > 0 { if len(keyword) == 0 || len(issueIDs) > 0 || len(labelIDs) > 0 {
@ -251,6 +265,7 @@ func ListIssues(ctx *context.APIContext) {
IsClosed: isClosed, IsClosed: isClosed,
IssueIDs: issueIDs, IssueIDs: issueIDs,
LabelIDs: labelIDs, LabelIDs: labelIDs,
IsPull: isPull,
}) })
} }
@ -475,6 +490,7 @@ func EditIssue(ctx *context.APIContext, form api.EditIssueOption) {
return return
} }
issue.Repo = ctx.Repo.Repository issue.Repo = ctx.Repo.Repository
canWrite := ctx.Repo.CanWriteIssuesOrPulls(issue.IsPull)
err = issue.LoadAttributes() err = issue.LoadAttributes()
if err != nil { if err != nil {
@ -482,7 +498,7 @@ func EditIssue(ctx *context.APIContext, form api.EditIssueOption) {
return return
} }
if !issue.IsPoster(ctx.User.ID) && !ctx.Repo.CanWrite(models.UnitTypeIssues) {
if !issue.IsPoster(ctx.User.ID) && !canWrite {
ctx.Status(http.StatusForbidden) ctx.Status(http.StatusForbidden)
return return
} }
@ -495,7 +511,7 @@ func EditIssue(ctx *context.APIContext, form api.EditIssueOption) {
} }
// Update or remove the deadline, only if set and allowed // Update or remove the deadline, only if set and allowed
if (form.Deadline != nil || form.RemoveDeadline != nil) && ctx.Repo.CanWrite(models.UnitTypeIssues) {
if (form.Deadline != nil || form.RemoveDeadline != nil) && canWrite {
var deadlineUnix timeutil.TimeStamp var deadlineUnix timeutil.TimeStamp
if (form.RemoveDeadline == nil || !*form.RemoveDeadline) && !form.Deadline.IsZero() { if (form.RemoveDeadline == nil || !*form.RemoveDeadline) && !form.Deadline.IsZero() {
@ -519,7 +535,7 @@ func EditIssue(ctx *context.APIContext, form api.EditIssueOption) {
// Pass one or more user logins to replace the set of assignees on this Issue. // Pass one or more user logins to replace the set of assignees on this Issue.
// Send an empty array ([]) to clear all assignees from the Issue. // Send an empty array ([]) to clear all assignees from the Issue.
if ctx.Repo.CanWrite(models.UnitTypeIssues) && (form.Assignees != nil || form.Assignee != nil) {
if canWrite && (form.Assignees != nil || form.Assignee != nil) {
oneAssignee := "" oneAssignee := ""
if form.Assignee != nil { if form.Assignee != nil {
oneAssignee = *form.Assignee oneAssignee = *form.Assignee
@ -532,7 +548,7 @@ func EditIssue(ctx *context.APIContext, form api.EditIssueOption) {
} }
} }
if ctx.Repo.CanWrite(models.UnitTypeIssues) && form.Milestone != nil &&
if canWrite && form.Milestone != nil &&
issue.MilestoneID != *form.Milestone { issue.MilestoneID != *form.Milestone {
oldMilestoneID := issue.MilestoneID oldMilestoneID := issue.MilestoneID
issue.MilestoneID = *form.Milestone issue.MilestoneID = *form.Milestone
@ -618,7 +634,7 @@ func UpdateIssueDeadline(ctx *context.APIContext, form api.EditDeadlineOption) {
return return
} }
if !ctx.Repo.CanWrite(models.UnitTypeIssues) {
if !ctx.Repo.CanWriteIssuesOrPulls(issue.IsPull) {
ctx.Error(http.StatusForbidden, "", "Not repo writer") ctx.Error(http.StatusForbidden, "", "Not repo writer")
return return
} }

+ 1
- 1
routers/api/v1/repo/issue_comment.go View File

@ -204,7 +204,7 @@ func CreateIssueComment(ctx *context.APIContext, form api.CreateIssueCommentOpti
return return
} }
if issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) && !ctx.User.IsAdmin {
if issue.IsLocked && !ctx.Repo.CanWriteIssuesOrPulls(issue.IsPull) && !ctx.User.IsAdmin {
ctx.Error(http.StatusForbidden, "CreateIssueComment", errors.New(ctx.Tr("repo.issues.comment_on_locked"))) ctx.Error(http.StatusForbidden, "CreateIssueComment", errors.New(ctx.Tr("repo.issues.comment_on_locked")))
return return
} }

+ 2
- 2
routers/api/v1/repo/issue_reaction.go View File

@ -179,7 +179,7 @@ func changeIssueCommentReaction(ctx *context.APIContext, form api.EditReactionOp
ctx.Error(http.StatusInternalServerError, "comment.LoadIssue() failed", err) ctx.Error(http.StatusInternalServerError, "comment.LoadIssue() failed", err)
} }
if comment.Issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) {
if comment.Issue.IsLocked && !ctx.Repo.CanWriteIssuesOrPulls(comment.Issue.IsPull) {
ctx.Error(http.StatusForbidden, "ChangeIssueCommentReaction", errors.New("no permission to change reaction")) ctx.Error(http.StatusForbidden, "ChangeIssueCommentReaction", errors.New("no permission to change reaction"))
return return
} }
@ -380,7 +380,7 @@ func changeIssueReaction(ctx *context.APIContext, form api.EditReactionOption, i
return return
} }
if issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) {
if issue.IsLocked && !ctx.Repo.CanWriteIssuesOrPulls(issue.IsPull) {
ctx.Error(http.StatusForbidden, "ChangeIssueCommentReaction", errors.New("no permission to change reaction")) ctx.Error(http.StatusForbidden, "ChangeIssueCommentReaction", errors.New("no permission to change reaction"))
return return
} }

+ 1
- 1
routers/api/v1/repo/issue_stopwatch.go View File

@ -170,7 +170,7 @@ func prepareIssueStopwatch(ctx *context.APIContext, shouldExist bool) (*models.I
return nil, err return nil, err
} }
if !ctx.Repo.CanWrite(models.UnitTypeIssues) {
if !ctx.Repo.CanWriteIssuesOrPulls(issue.IsPull) {
ctx.Status(http.StatusForbidden) ctx.Status(http.StatusForbidden)
return nil, err return nil, err
} }

+ 4
- 5
routers/repo/issue.go View File

@ -63,13 +63,12 @@ var (
// If locked and user has permissions to write to the repository, // If locked and user has permissions to write to the repository,
// then the comment is allowed, else it is blocked // then the comment is allowed, else it is blocked
func MustAllowUserComment(ctx *context.Context) { func MustAllowUserComment(ctx *context.Context) {
issue := GetActionIssue(ctx) issue := GetActionIssue(ctx)
if ctx.Written() { if ctx.Written() {
return return
} }
if issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) && !ctx.User.IsAdmin {
if issue.IsLocked && !ctx.Repo.CanWriteIssuesOrPulls(issue.IsPull) && !ctx.User.IsAdmin {
ctx.Flash.Error(ctx.Tr("repo.issues.comment_on_locked")) ctx.Flash.Error(ctx.Tr("repo.issues.comment_on_locked"))
ctx.Redirect(issue.HTMLURL()) ctx.Redirect(issue.HTMLURL())
return return
@ -344,7 +343,7 @@ func RetrieveRepoMilestonesAndAssignees(ctx *context.Context, repo *models.Repos
// RetrieveRepoMetas find all the meta information of a repository // RetrieveRepoMetas find all the meta information of a repository
func RetrieveRepoMetas(ctx *context.Context, repo *models.Repository, isPull bool) []*models.Label { func RetrieveRepoMetas(ctx *context.Context, repo *models.Repository, isPull bool) []*models.Label {
if !ctx.Repo.CanWrite(models.UnitTypeIssues) {
if !ctx.Repo.CanWriteIssuesOrPulls(isPull) {
return nil return nil
} }
@ -1022,7 +1021,6 @@ func ViewIssue(ctx *context.Context) {
ctx.Data["IsIssuePoster"] = ctx.IsSigned && issue.IsPoster(ctx.User.ID) ctx.Data["IsIssuePoster"] = ctx.IsSigned && issue.IsPoster(ctx.User.ID)
ctx.Data["IsIssueWriter"] = ctx.Repo.CanWriteIssuesOrPulls(issue.IsPull) ctx.Data["IsIssueWriter"] = ctx.Repo.CanWriteIssuesOrPulls(issue.IsPull)
ctx.Data["IsRepoAdmin"] = ctx.IsSigned && (ctx.Repo.IsAdmin() || ctx.User.IsAdmin) ctx.Data["IsRepoAdmin"] = ctx.IsSigned && (ctx.Repo.IsAdmin() || ctx.User.IsAdmin)
ctx.Data["IsRepoIssuesWriter"] = ctx.IsSigned && (ctx.Repo.CanWrite(models.UnitTypeIssues) || ctx.User.IsAdmin)
ctx.Data["LockReasons"] = setting.Repository.Issue.LockReasons ctx.Data["LockReasons"] = setting.Repository.Issue.LockReasons
ctx.HTML(200, tplIssueView) ctx.HTML(200, tplIssueView)
} }
@ -1283,9 +1281,10 @@ func NewComment(ctx *context.Context, form auth.CreateCommentForm) {
} }
ctx.Error(403) ctx.Error(403)
return
} }
if issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) && !ctx.User.IsAdmin {
if issue.IsLocked && !ctx.Repo.CanWriteIssuesOrPulls(issue.IsPull) && !ctx.User.IsAdmin {
ctx.Flash.Error(ctx.Tr("repo.issues.comment_on_locked")) ctx.Flash.Error(ctx.Tr("repo.issues.comment_on_locked"))
ctx.Redirect(issue.HTMLURL(), http.StatusSeeOther) ctx.Redirect(issue.HTMLURL(), http.StatusSeeOther)
return return

+ 3
- 3
routers/repo/issue_dependency.go View File

@ -93,9 +93,6 @@ func RemoveDependency(ctx *context.Context) {
return return
} }
// Redirect
ctx.Redirect(issue.HTMLURL(), http.StatusSeeOther)
// Dependency Type // Dependency Type
depTypeStr := ctx.Req.PostForm.Get("dependencyType") depTypeStr := ctx.Req.PostForm.Get("dependencyType")
@ -126,4 +123,7 @@ func RemoveDependency(ctx *context.Context) {
ctx.ServerError("RemoveIssueDependency", err) ctx.ServerError("RemoveIssueDependency", err)
return return
} }
// Redirect
ctx.Redirect(issue.HTMLURL(), http.StatusSeeOther)
} }

+ 1
- 7
routers/routes/routes.go View File

@ -508,19 +508,13 @@ func RegisterRoutes(m *macaron.Macaron) {
reqRepoReleaseWriter := context.RequireRepoWriter(models.UnitTypeReleases) reqRepoReleaseWriter := context.RequireRepoWriter(models.UnitTypeReleases)
reqRepoReleaseReader := context.RequireRepoReader(models.UnitTypeReleases) reqRepoReleaseReader := context.RequireRepoReader(models.UnitTypeReleases)
reqRepoWikiWriter := context.RequireRepoWriter(models.UnitTypeWiki) reqRepoWikiWriter := context.RequireRepoWriter(models.UnitTypeWiki)
reqRepoIssueWriter := context.RequireRepoWriter(models.UnitTypeIssues)
reqRepoIssueReader := context.RequireRepoReader(models.UnitTypeIssues) reqRepoIssueReader := context.RequireRepoReader(models.UnitTypeIssues)
reqRepoPullsWriter := context.RequireRepoWriter(models.UnitTypePullRequests) reqRepoPullsWriter := context.RequireRepoWriter(models.UnitTypePullRequests)
reqRepoPullsReader := context.RequireRepoReader(models.UnitTypePullRequests) reqRepoPullsReader := context.RequireRepoReader(models.UnitTypePullRequests)
reqRepoIssuesOrPullsWriter := context.RequireRepoWriterOr(models.UnitTypeIssues, models.UnitTypePullRequests) reqRepoIssuesOrPullsWriter := context.RequireRepoWriterOr(models.UnitTypeIssues, models.UnitTypePullRequests)
reqRepoIssuesOrPullsReader := context.RequireRepoReaderOr(models.UnitTypeIssues, models.UnitTypePullRequests) reqRepoIssuesOrPullsReader := context.RequireRepoReaderOr(models.UnitTypeIssues, models.UnitTypePullRequests)
reqRepoIssueWriter := func(ctx *context.Context) {
if !ctx.Repo.CanWrite(models.UnitTypeIssues) {
ctx.Error(403)
return
}
}
// ***** START: Organization ***** // ***** START: Organization *****
m.Group("/org", func() { m.Group("/org", func() {
m.Group("", func() { m.Group("", func() {

+ 1
- 1
templates/repo/issue/view_content.tmpl View File

@ -66,7 +66,7 @@
{{ template "repo/issue/view_content/pull". }} {{ template "repo/issue/view_content/pull". }}
{{end}} {{end}}
{{if .IsSigned}} {{if .IsSigned}}
{{ if and (or .IsRepoAdmin .IsRepoIssuesWriter (or (not .Issue.IsLocked))) (not .Repository.IsArchived) }}
{{ if and (or .IsRepoAdmin .IsIssueWriter (or (not .Issue.IsLocked))) (not .Repository.IsArchived) }}
<div class="comment form"> <div class="comment form">
<a class="avatar" href="{{.SignedUser.HomeLink}}"> <a class="avatar" href="{{.SignedUser.HomeLink}}">
<img src="{{.SignedUser.RelAvatarLink}}"> <img src="{{.SignedUser.RelAvatarLink}}">

+ 6
- 0
templates/swagger/v1_json.tmpl View File

@ -3133,6 +3133,12 @@
"description": "search string", "description": "search string",
"name": "q", "name": "q",
"in": "query" "in": "query"
},
{
"type": "string",
"description": "filter by type (issues / pulls) if set",
"name": "type",
"in": "query"
} }
], ],
"responses": { "responses": {

Loading…
Cancel
Save