From 6bffaf5ecfe4c54f923612df9df25800f1180c12 Mon Sep 17 00:00:00 2001 From: Gusted Date: Sat, 4 Jun 2022 18:58:47 +0200 Subject: [PATCH 1/4] Move `/info` outside authorization - To use the web's API to get information about a issue/pull on a repository, doesn't require authorization(nor that the repository isn't archived). - Regressed by: #19318 --- routers/web/web.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/routers/web/web.go b/routers/web/web.go index 1e550286f9eb1..3e837c62d09d1 100644 --- a/routers/web/web.go +++ b/routers/web/web.go @@ -835,6 +835,11 @@ func RegisterRoutes(m *web.Route) { m.Combo("/compare/*", repo.MustBeNotEmpty, reqRepoCodeReader, repo.SetEditorconfigIfExists). Get(ignSignIn, repo.SetDiffViewStyle, repo.SetWhitespaceBehavior, repo.CompareDiff). Post(reqSignIn, context.RepoMustNotBeArchived(), reqRepoPullsReader, repo.MustAllowPulls, bindIgnErr(forms.CreateIssueForm{}), repo.SetWhitespaceBehavior, repo.CompareAndPullRequestPost) + m.Group("/{type:issues|pulls}", func() { + m.Group("/{index}", func() { + m.Get("/info", repo.GetIssueInfo) + }) + }) }, context.RepoAssignment, context.UnitTypes()) // Grouping for those endpoints that do require authentication @@ -851,7 +856,6 @@ func RegisterRoutes(m *web.Route) { // So they can apply their own enable/disable logic on routers. m.Group("/{type:issues|pulls}", func() { m.Group("/{index}", func() { - m.Get("/info", repo.GetIssueInfo) m.Post("/title", repo.UpdateIssueTitle) m.Post("/content", repo.UpdateIssueContent) m.Post("/deadline", bindIgnErr(structs.EditDeadlineOption{}), repo.UpdateIssueDeadline) From 5a574d5580aa372d95cd0ef327705bfcfacbeaf3 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sat, 4 Jun 2022 19:10:02 +0100 Subject: [PATCH 2/4] Check we can read the issue we are looking at Signed-off-by: Andrew Thornton --- routers/web/repo/issue.go | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go index 079ccbf6cf968..d0ddf70485585 100644 --- a/routers/web/repo/issue.go +++ b/routers/web/repo/issue.go @@ -1799,6 +1799,27 @@ func GetIssueInfo(ctx *context.Context) { } return } + + if issue.IsPull { + // Need to check if Pulls are enabled and we can read Pulls + if !ctx.Repo.Repository.CanEnablePulls() || !ctx.Repo.CanRead(unit.TypePullRequests) { + ctx.Error(http.StatusNotFound) + return + } + } else { + // Need to check if Issues are enabled and we can read Issues + if !ctx.Repo.CanRead(unit.TypeIssues) && + !ctx.Repo.CanRead(unit.TypeExternalTracker) { + ctx.Error(http.StatusNotFound) + return + } + _, err := ctx.Repo.Repository.GetUnit(unit.TypeExternalTracker) + if err == nil { + ctx.Error(http.StatusNotFound) + return + } + } + ctx.JSON(http.StatusOK, convert.ToAPIIssue(issue)) } From ab9edc29327c8c9e044180396013931299297245 Mon Sep 17 00:00:00 2001 From: zeripath Date: Sat, 4 Jun 2022 19:12:28 +0100 Subject: [PATCH 3/4] Update routers/web/repo/issue.go --- routers/web/repo/issue.go | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go index d0ddf70485585..a53ebff3820ce 100644 --- a/routers/web/repo/issue.go +++ b/routers/web/repo/issue.go @@ -1808,13 +1808,7 @@ func GetIssueInfo(ctx *context.Context) { } } else { // Need to check if Issues are enabled and we can read Issues - if !ctx.Repo.CanRead(unit.TypeIssues) && - !ctx.Repo.CanRead(unit.TypeExternalTracker) { - ctx.Error(http.StatusNotFound) - return - } - _, err := ctx.Repo.Repository.GetUnit(unit.TypeExternalTracker) - if err == nil { + if !ctx.Repo.CanRead(unit.TypeIssues) { ctx.Error(http.StatusNotFound) return } From 8a32fe6041cd9d6408248bb75819cb1552965958 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sat, 4 Jun 2022 19:31:05 +0100 Subject: [PATCH 4/4] fix fmt Signed-off-by: Andrew Thornton --- routers/web/repo/issue.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go index a53ebff3820ce..d418907a1f17c 100644 --- a/routers/web/repo/issue.go +++ b/routers/web/repo/issue.go @@ -1808,7 +1808,7 @@ func GetIssueInfo(ctx *context.Context) { } } else { // Need to check if Issues are enabled and we can read Issues - if !ctx.Repo.CanRead(unit.TypeIssues) { + if !ctx.Repo.CanRead(unit.TypeIssues) { ctx.Error(http.StatusNotFound) return }