Skip to content

api: fix overly strict permissions on edit PR #15900

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
May 19, 2021
Merged

api: fix overly strict permissions on edit PR #15900

merged 5 commits into from
May 19, 2021

Conversation

noerw
Copy link
Member

@noerw noerw commented May 16, 2021
edited
Loading

We can drop this overly strict permission requirement, as the more granular check (IsIssuePoster) is done in repo.EditPullRequest()

fixes #14025

@noerw noerw added this to the 1.15.0 milestone May 16, 2021
@noerw noerw added backport/v1.14 modifies/api This PR adds API routes or modifies them type/bug labels May 16, 2021
@codecov-commenter
Copy link

codecov-commenter commented May 16, 2021
edited
Loading

Codecov Report

Merging #15900 (9978a9e) into main (370cfde) will decrease coverage by 0.00%.
The diff coverage is 100.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main   #15900      +/-   ##
==========================================
- Coverage   44.03%   44.02%   -0.01%     
==========================================
  Files         681      681              
  Lines       82340    82340              
==========================================
- Hits        36256    36254       -2     
+ Misses      40182    40179       -3     
- Partials     5902     5907       +5
Impacted Files Coverage Δ
routers/api/v1/api.go 78.15% <100.00%> (ø)
modules/util/timer.go 42.85% <0.00%> (-42.86%) ⬇️
modules/avatar/avatar.go 47.72% <0.00%> (-4.55%) ⬇️
modules/charset/charset.go 71.71% <0.00%> (-4.05%) ⬇️
modules/log/event.go 59.90% <0.00%> (-1.89%) ⬇️
routers/api/v1/repo/pull.go 28.74% <0.00%> (+0.59%) ⬆️
modules/queue/manager.go 68.36% <0.00%> (+2.82%) ⬆️
modules/notification/mail/mail.go 41.83% <0.00%> (+3.06%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 370cfde...9978a9e. Read the comment docs.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label May 16, 2021
@noerw noerw changed the title api: fix overly strict edit pr permissions api: fix overly strict permissions on edit PR May 16, 2021
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels May 16, 2021
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels May 17, 2021
@lunny
Copy link
Member

lunny commented May 17, 2021

We can drop this overly strict permission requirement, as the more granular check (IsIssuePoster) is done in repo.EditPullRequest()

fixes #14025

I think we just missed Poster, but the original permission check should be also there.

@noerw
Copy link
Member Author

noerw commented May 17, 2021

@lunny I can't follow, how would you do it instead? :)

Adding a new middleware reqIssueEditor() in api.go implementing the same checks as EditPullRequest() would be loads of duplicated code, as well as duplicated work during each request 🤔

@lunny
Copy link
Member

lunny commented May 17, 2021

Just change reqIssueEditor since Poster should have permission to edit the issue or pull request.

@6543
Copy link
Member

6543 commented May 17, 2021

The permission is checked in the func itselve again ...

@noerw
Copy link
Member Author

noerw commented May 17, 2021
edited
Loading

Here is an alternative implementation, that does the additional permission check via middleware: main...noerw:fix-14025-variant2
Running some local benchmarks, there is no significant cost induced by the duplicate checks (before 105ms, after 110ms avg request time). Though this request time seems quite high in general, but that's another story ;)

(I don't think the (potentially) better readability in api.go on this 2nd variant is worth the additional complexity)

@techknowlogick techknowlogick merged commit e542b41 into go-gitea:main May 19, 2021
@6543 6543 deleted the fix-14025-edit-pr-permissions branch June 6, 2021 03:19
6543 added a commit to 6543-forks/gitea that referenced this pull request Jun 6, 2021
@noerw @6543 @zeripath
api: fix overly strict edit pr permissions (go-gitea#15900)
711f310 
Co-authored-by: 6543 <[email protected]>
Co-authored-by: zeripath <[email protected]>
@6543 6543 mentioned this pull request Jun 6, 2021
Merged
@6543 6543 added the backport/done All backports for this PR have been created label Jun 6, 2021
@6543
Copy link
Member

6543 commented Jun 6, 2021

-> #16081

6543 added a commit that referenced this pull request Jun 6, 2021
@6543 @noerw
@zeripath @lunny
api: fix overly strict edit pr permissions (#15900) (#16081)
1e76f7b 
Co-authored-by: 6543 <[email protected]>
Co-authored-by: Norwin <[email protected]>
Co-authored-by: zeripath <[email protected]>
Co-authored-by: Lunny Xiao <[email protected]>
AbdulrhmnGhanem pushed a commit to kitspace/gitea that referenced this pull request Aug 10, 2021
@noerw @6543
@zeripath @AbdulrhmnGhanem
api: fix overly strict edit pr permissions (go-gitea#15900)
a6588f8 
Co-authored-by: 6543 <[email protected]>
Co-authored-by: zeripath <[email protected]>
@go-gitea go-gitea locked and limited conversation to collaborators Oct 19, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@6543 6543 6543 approved these changes

@a1012112796 a1012112796 a1012112796 approved these changes

Assignees
No one assigned
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/api This PR adds API routes or modifies them type/bug
Projects
None yet
Milestone
1.15.0
Development

Successfully merging this pull request may close these issues.

[API] Edit PR has wrong permission model
8 participants
@noerw @codecov-commenter @lunny @6543 @a1012112796 @techknowlogick @GiteaBot @zeripath