Skip to content

Commit dde1c05

Browse files
qwerty287qwerty287
committed
Fix permissions
1 parent 2663781 commit dde1c05

File tree

1 file changed

+84
-1
lines changed

1 file changed

+84
-1
lines changed

routers/api/v1/repo/issue.go

Lines changed: 84 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -977,6 +977,22 @@ func GetIssueDependencies(ctx *context.APIContext) {
977977
if i < skip || i >= max {
978978
continue
979979
}
980+
981+
perm, err := models.GetUserRepoPermission(&depMeta.Repository, ctx.User)
982+
if err != nil {
983+
ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err)
984+
return
985+
}
986+
if depMeta.Issue.IsPull {
987+
if !perm.CanRead(unit.TypePullRequests) {
988+
continue
989+
}
990+
} else {
991+
if !perm.CanRead(unit.TypeIssues) {
992+
continue
993+
}
994+
}
995+
980996
depMeta.Issue.Repo = &depMeta.Repository
981997
issues = append(issues, &depMeta.Issue)
982998
}
@@ -1127,6 +1143,22 @@ func GetIssueBlocks(ctx *context.APIContext) {
11271143
if i < skip || i >= max {
11281144
continue
11291145
}
1146+
1147+
perm, err := models.GetUserRepoPermission(&depMeta.Repository, ctx.User)
1148+
if err != nil {
1149+
ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err)
1150+
return
1151+
}
1152+
if depMeta.Issue.IsPull {
1153+
if !perm.CanRead(unit.TypePullRequests) {
1154+
continue
1155+
}
1156+
} else {
1157+
if !perm.CanRead(unit.TypeIssues) {
1158+
continue
1159+
}
1160+
}
1161+
11301162
depMeta.Issue.Repo = &depMeta.Repository
11311163
issues = append(issues, &depMeta.Issue)
11321164
}
@@ -1210,7 +1242,7 @@ func createIssueDependency(ctx *context.APIContext, t models.DependencyType) {
12101242
return
12111243
}
12121244

1213-
dep, err := models.GetIssueWithAttrsByIndex(ctx.Repo.Repository.ID, ctx.ParamsInt64(":index"))
1245+
dep, err := models.GetIssueByIndex(ctx.Repo.Repository.ID, ctx.ParamsInt64(":index"))
12141246
if err != nil {
12151247
if models.IsErrIssueNotExist(err) {
12161248
ctx.NotFound("IsErrIssueNotExist", err)
@@ -1242,8 +1274,42 @@ func createIssueDependency(ctx *context.APIContext, t models.DependencyType) {
12421274
}
12431275

12441276
if t == models.DependencyTypeBlockedBy {
1277+
perm, err := models.GetUserRepoPermission(ctx.Repo.Repository, ctx.User)
1278+
if err != nil {
1279+
ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err)
1280+
return
1281+
}
1282+
if issue.IsPull {
1283+
if !perm.CanRead(unit.TypePullRequests) {
1284+
ctx.NotFound()
1285+
return
1286+
}
1287+
} else {
1288+
if !perm.CanRead(unit.TypeIssues) {
1289+
ctx.NotFound()
1290+
return
1291+
}
1292+
}
1293+
12451294
err = models.CreateIssueDependency(ctx.User, issue, dep)
12461295
} else {
1296+
perm, err := models.GetUserRepoPermission(repo, ctx.User)
1297+
if err != nil {
1298+
ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err)
1299+
return
1300+
}
1301+
if issue.IsPull {
1302+
if !perm.CanRead(unit.TypePullRequests) {
1303+
ctx.NotFound()
1304+
return
1305+
}
1306+
} else {
1307+
if !perm.CanRead(unit.TypeIssues) {
1308+
ctx.NotFound()
1309+
return
1310+
}
1311+
}
1312+
12471313
err = models.CreateIssueDependency(ctx.User, dep, issue)
12481314
}
12491315
if err != nil {
@@ -1291,6 +1357,23 @@ func removeIssueDependency(ctx *context.APIContext, t models.DependencyType) {
12911357
return
12921358
}
12931359

1360+
perm, err := models.GetUserRepoPermission(repo, ctx.User)
1361+
if err != nil {
1362+
ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err)
1363+
return
1364+
}
1365+
if issue.IsPull {
1366+
if !perm.CanRead(unit.TypePullRequests) {
1367+
ctx.NotFound("IsErrRepoNotExist", err)
1368+
return
1369+
}
1370+
} else {
1371+
if !perm.CanRead(unit.TypeIssues) {
1372+
ctx.NotFound("IsErrRepoNotExist", err)
1373+
return
1374+
}
1375+
}
1376+
12941377
err = models.RemoveIssueDependency(ctx.User, issue, dep, t)
12951378
if err != nil {
12961379
ctx.Error(http.StatusInternalServerError, "CreateIssueDependency", err)

0 commit comments

Comments
 (0)