-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move /info
outside authorization
#19888
Conversation
Gusted
commented
Jun 4, 2022
- To use the web's API to get information about a issue/pull on a repository, doesn't require authorization(nor that the repository isn't archived).
- Regressed by: Never use /api/v1 from Gitea UI Pages #19318
- To use the web's API to get information about a issue/pull on a repository, doesn't require authorization(nor that the repository isn't archived). - Regressed by: go-gitea#19318
1 Why do you think it doesn't need authorization? What about a private repository's issues? |
Because not every user on a Gitea instance would be logged in and they shouldn't be shown a loading spinner when hovering over a issue reference. Private repository's issues are not being checked in
It's still on the same path as before, now it just doesn't have the |
Hmm... I think it should require permissions check. If you can't read the issues or pull requests you should not be able to access this endpoint. How does your change affect leakage for private repos where you have been given say code access but not read issues access? |
This also needs: diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go
index 079ccbf6c..d0ddf7048 100644
--- a/routers/web/repo/issue.go
+++ b/routers/web/repo/issue.go
@@ -1799,6 +1799,27 @@ func GetIssueInfo(ctx *context.Context) {
}
return
}
+
+ if issue.IsPull {
+ // Need to check if Pulls are enabled and we can read Pulls
+ if !ctx.Repo.Repository.CanEnablePulls() || !ctx.Repo.CanRead(unit.TypePullRequests) {
+ ctx.Error(http.StatusNotFound)
+ return
+ }
+ } else {
+ // Need to check if Issues are enabled and we can read Issues
+ if !ctx.Repo.CanRead(unit.TypeIssues) &&
+ !ctx.Repo.CanRead(unit.TypeExternalTracker) {
+ ctx.Error(http.StatusNotFound)
+ return
+ }
+ _, err := ctx.Repo.Repository.GetUnit(unit.TypeExternalTracker)
+ if err == nil {
+ ctx.Error(http.StatusNotFound)
+ return
+ }
+ }
+
ctx.JSON(http.StatusOK, convert.ToAPIIssue(issue))
}
|
Realistically we might actually need a |
Signed-off-by: Andrew Thornton <[email protected]>
Signed-off-by: Andrew Thornton <[email protected]>
Codecov Report
@@ Coverage Diff @@
## main #19888 +/- ##
=======================================
Coverage ? 47.29%
=======================================
Files ? 958
Lines ? 133516
Branches ? 0
=======================================
Hits ? 63144
Misses ? 62699
Partials ? 7673
Continue to review full report at Codecov.
|
* giteaofficial/main: Add alt text to logo (go-gitea#19892) Limit max-height of CodeMirror editors for issue comment and wiki (go-gitea#18271) Implement http signatures support for the API (go-gitea#17565) Increment tests time out from 40m to 50m because sometimes the machine is slow (go-gitea#19887) fix(CI/CD): correct CI variable. (go-gitea#19886) Fix typo (go-gitea#19889) Fixing wrong paging when filtering on the issue dashboard (go-gitea#19801) Move `/info` outside authorization (go-gitea#19888) Fix order by parameter (go-gitea#19849) Exclude Archived repos from Dashboard Milestones (go-gitea#19882) use exact search instead of fuzzy search for branch filter dropdown (go-gitea#19885)
- To use the web's API to get information about a issue/pull on a repository, doesn't require authorization(nor that the repository isn't archived). - Regressed by: go-gitea#19318 Signed-off-by: Andrew Thornton <[email protected]> Co-authored-by: Andrew Thornton <[email protected]>