Add more checks

Author: lunny

models/perm/access/repo_permission.go

@@ -25,7 +25,7 @@ type ErrNoPermission struct {
 }
 
 func (e ErrNoPermission) Error() string {
-	return fmt.Sprintf("no permission to access repo %d unit %s with mode %s", e.RepoID, e.Unit, e.Perm)
+	return fmt.Sprintf("no permission to access repo %d unit %s with mode %s", e.RepoID, e.Unit.LogString(), e.Perm.LogString())
 }
 
 // Permission contains all the permissions related variables to a repository for a user

routers/api/v1/repo/branch.go

@@ -150,11 +150,6 @@ func DeleteBranch(ctx *context.APIContext) {
 		}
 	}
 
-	if ctx.Repo.Repository.IsMirror {
-		ctx.Error(http.StatusForbidden, "IsMirrored", fmt.Errorf("can not delete branch of an mirror repository"))
-		return
-	}
-
 	if err := repo_service.DeleteBranch(ctx, ctx.Doer, ctx.Repo.Repository, ctx.Repo.GitRepo, branchName); err != nil {
 		switch {
 		case git.IsErrBranchNotExist(err):

routers/api/v1/repo/pull.go

@@ -1058,6 +1058,8 @@ func MergePullRequest(ctx *context.APIContext) {
 	log.Trace("Pull request merged: %d", pr.ID)
 
 	if form.DeleteBranchAfterMerge && pr.Flow == issues_model.PullRequestFlowGithub {
+		// check permission even it has been checked in repo_service.DeleteBranch so that we don't need to
+		// do RetargetChildrenOnMerge
 		if err := repo_service.CanDeleteBranch(ctx, pr.HeadRepo, pr.HeadBranch, ctx.Doer); err == nil {
 			// Don't cleanup when there are other PR's that use this branch as head branch.
 			exist, err := issues_model.HasUnmergedPullRequestsByHeadInfo(ctx, pr.HeadRepoID, pr.HeadBranch)

routers/web/repo/pull.go

@@ -1404,7 +1404,7 @@ func CleanUpPullRequest(ctx *context.Context) {
 	pr := issue.PullRequest
 
 	// Don't cleanup unmerged and unclosed PRs
-	if !pr.HasMerged && !issue.IsClosed {
+	if !pr.HasMerged && !issue.IsClosed && pr.Flow != issues_model.PullRequestFlowGithub {
 		ctx.NotFound("CleanUpPullRequest", nil)
 		return
 	}
@@ -1435,13 +1435,12 @@ func CleanUpPullRequest(ctx *context.Context) {
 		return
 	}
 
-	perm, err := access_model.GetUserRepoPermission(ctx, pr.HeadRepo, ctx.Doer)
-	if err != nil {
-		ctx.ServerError("GetUserRepoPermission", err)
-		return
-	}
-	if !perm.CanWrite(unit.TypeCode) {
-		ctx.NotFound("CleanUpPullRequest", nil)
+	if err := repo_service.CanDeleteBranch(ctx, pr.HeadRepo, pr.HeadBranch, ctx.Doer); err != nil {
+		if errors.Is(err, access_model.ErrNoPermission{}) {
+			ctx.NotFound("CleanUpPullRequest", nil)
+		} else {
+			ctx.ServerError("GetUserRepoPermission", err)
+		}
 		return
 	}
 

services/repository/branch.go

@@ -500,17 +500,9 @@ func DeleteBranch(ctx context.Context, doer *user_model.User, repo *repo_model.R
 		return err
 	}
 
-	if branchName == repo.DefaultBranch {
-		return ErrBranchIsDefault
-	}
-
-	isProtected, err := git_model.IsBranchProtected(ctx, repo.ID, branchName)
-	if err != nil {
+	if err := CanDeleteBranch(ctx, repo, branchName, doer); err != nil {
 		return err
 	}
-	if isProtected {
-		return git_model.ErrBranchIsProtected
-	}
 
 	rawBranch, err := git_model.GetBranch(ctx, repo.ID, branchName)
 	if err != nil && !git_model.IsErrBranchNotExist(err) {