Nemcio/Gogs
1
0
Fork 0
mirror of https://github.com/gogs/gogs.git synced 2026-03-18 01:50:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

repo: improve authz for resources (#8119)

Browse Source 
https://github.com/gogs/gogs/security/advisories/GHSA-jj5m-h57j-5gv7
This commit is contained in:
ᴊᴏᴇ ᴄʜᴇɴ
2026-01-29 20:56:09 -05:00
committed by GitHub
parent e3bb4165dc
commit 1b226ca48d
3 changed files with 61 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
internal/route/api/v1/repo/issue_comment.go
View File

@@ -88,6 +88,17 @@ func EditIssueComment(c *context.APIContext, form api.EditIssueCommentOption) {
return
}
issue, err := database.GetIssueByID(comment.IssueID)
if err != nil {
c.NotFoundOrError(err, "get issue by ID")
return
}
if issue.RepoID != c.Repo.Repository.ID {
c.NotFound()
return
}
if c.User.ID != comment.PosterID && !c.Repo.IsAdmin() {
c.Status(http.StatusForbidden)
return
@@ -112,6 +123,17 @@ func DeleteIssueComment(c *context.APIContext) {
return
}
issue, err := database.GetIssueByID(comment.IssueID)
if err != nil {
c.NotFoundOrError(err, "get issue by ID")
return
}
if issue.RepoID != c.Repo.Repository.ID {
c.NotFound()
return
}
if c.User.ID != comment.PosterID && !c.Repo.IsAdmin() {
c.Status(http.StatusForbidden)
return

18
internal/route/api/v1/repo/key.go
View File

@@ -45,6 +45,11 @@ func GetDeployKey(c *context.APIContext) {
return
}
if key.RepoID != c.Repo.Repository.ID {
c.NotFound()
return
}
if err = key.GetContent(); err != nil {
c.Error(err, "get content")
return
@@ -94,7 +99,18 @@ func CreateDeployKey(c *context.APIContext, form api.CreateKeyOption) {
// https://github.com/gogs/go-gogs-client/wiki/Repositories-Deploy-Keys#remove-a-deploy-key
func DeleteDeploykey(c *context.APIContext) {
if err := database.DeleteDeployKey(c.User, c.ParamsInt64(":id")); err != nil {
key, err := database.GetDeployKeyByID(c.ParamsInt64(":id"))
if err != nil {
c.NotFoundOrError(err, "get deploy key by ID")
return
}
if key.RepoID != c.Repo.Repository.ID {
c.NotFound()
return
}
if err := database.DeleteDeployKey(c.User, key.ID); err != nil {
if database.IsErrKeyAccessDenied(err) {
c.ErrorStatus(http.StatusForbidden, errors.New("You do not have access to this key"))
} else {

22
internal/route/repo/issue.go
View File

@@ -926,6 +926,17 @@ func UpdateCommentContent(c *context.Context) {
return
}
issue, err := database.GetIssueByID(comment.IssueID)
if err != nil {
c.NotFoundOrError(err, "get issue by ID")
return
}
if issue.RepoID != c.Repo.Repository.ID {
c.NotFound()
return
}
if c.UserID() != comment.PosterID && !c.Repo.IsAdmin() {
c.NotFound()
return
@@ -959,6 +970,17 @@ func DeleteComment(c *context.Context) {
return
}
issue, err := database.GetIssueByID(comment.IssueID)
if err != nil {
c.NotFoundOrError(err, "get issue by ID")
return
}
if issue.RepoID != c.Repo.Repository.ID {
c.NotFound()
return
}
if c.UserID() != comment.PosterID && !c.Repo.IsAdmin() {
c.NotFound()
return