Skip to content

[API] Edit PR has wrong permission model #14025

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
noerw opened this issue Dec 16, 2020 · 2 comments · Fixed by #15900
Closed

[API] Edit PR has wrong permission model #14025

noerw opened this issue Dec 16, 2020 · 2 comments · Fixed by #15900
Labels
modifies/api This PR adds API routes or modifies them type/bug

Comments

@noerw
Copy link
Member

noerw commented Dec 16, 2020
edited
Loading

  • Gitea version (or commit ref): 1.14.0+dev-374-g287b59480

Description

Users may want to close their pull request via API.
To do so, currently only PATCH /repos/{owner}/{repo}/pulls/{index} is available.
This API is enabled only for repo owners, meaning a PR author gets 403 Forbidden, even if they only update the state field.

Either make the permission check more granular, or add a separate API to open/close PRs.

I believe the same applies for Issues (PATCH /repos/{owner}/{repo}/issues/{index}), but I didn't verify
This problem does not apply to the matchin issues endpoint
@noerw noerw added the modifies/api This PR adds API routes or modifies them label Dec 16, 2020
@6543 6543 added the type/bug label Dec 16, 2020
@CirnoT
Copy link
Contributor

CirnoT commented Dec 17, 2020
edited
Loading

This API is enabled only for repo owners

Are you sure it's limited to owners? Renovate Bot has no issues closing PRs for me but it is added as collaborator with Write access.

Either make the permission check more granular, or add a separate API to open/close PRs.

Definitely should fix it on existing API endpoint

@noerw
Copy link
Member Author

noerw commented Dec 17, 2020

@CirnoT No not sure, it could very well be the read/write permission boundary

@noerw noerw mentioned this issue May 16, 2021
Merged
@go-gitea go-gitea locked and limited conversation to collaborators Oct 19, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
modifies/api This PR adds API routes or modifies them type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

api: fix overly strict permissions on edit PR noerw/gitea
3 participants
@CirnoT @noerw @6543