Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix permission check for delete tag #19985

Merged
merged 4 commits into from
Jun 16, 2022
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions routers/api/v1/repo/release.go
Original file line number Diff line number Diff line change
Expand Up @@ -345,6 +345,8 @@ func DeleteRelease(ctx *context.APIContext) {
// "$ref": "#/responses/empty"
// "404":
// "$ref": "#/responses/notFound"
// "405":
// "$ref": "#/responses/empty"

id := ctx.ParamsInt64(":id")
rel, err := models.GetReleaseByID(ctx, id)
Expand All @@ -358,6 +360,10 @@ func DeleteRelease(ctx *context.APIContext) {
return
}
if err := release_service.DeleteReleaseByID(ctx, id, ctx.Doer, false); err != nil {
if models.IsErrProtectedTagName(err) {
ctx.Error(http.StatusMethodNotAllowed, "delTag", "user not allowed to delete protected tag")
return
}
ctx.Error(http.StatusInternalServerError, "DeleteReleaseByID", err)
return
}
Expand Down
7 changes: 7 additions & 0 deletions routers/api/v1/repo/release_tags.go
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,8 @@ func DeleteReleaseByTag(ctx *context.APIContext) {
// "$ref": "#/responses/empty"
// "404":
// "$ref": "#/responses/notFound"
// "405":
// "$ref": "#/responses/empty"

tag := ctx.Params(":tag")

Expand All @@ -111,7 +113,12 @@ func DeleteReleaseByTag(ctx *context.APIContext) {
}

if err = releaseservice.DeleteReleaseByID(ctx, release.ID, ctx.Doer, false); err != nil {
if models.IsErrProtectedTagName(err) {
ctx.Error(http.StatusMethodNotAllowed, "delTag", "user not allowed to delete protected tag")
return
}
ctx.Error(http.StatusInternalServerError, "DeleteReleaseByID", err)
return
}

ctx.Status(http.StatusNoContent)
Expand Down
14 changes: 14 additions & 0 deletions routers/api/v1/repo/tag.go
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,8 @@ func CreateTag(ctx *context.APIContext) {
// "$ref": "#/responses/Tag"
// "404":
// "$ref": "#/responses/notFound"
// "405":
// "$ref": "#/responses/empty"
// "409":
// "$ref": "#/responses/conflict"
form := web.GetForm(ctx).(*api.CreateTagOption)
Expand All @@ -196,6 +198,11 @@ func CreateTag(ctx *context.APIContext) {
ctx.Error(http.StatusConflict, "tag exist", err)
return
}
if models.IsErrProtectedTagName(err) {
ctx.Error(http.StatusMethodNotAllowed, "CreateNewTag", "user not allowed to create protected tag")
return
}

ctx.InternalServerError(err)
return
}
Expand Down Expand Up @@ -236,6 +243,8 @@ func DeleteTag(ctx *context.APIContext) {
// "$ref": "#/responses/empty"
// "404":
// "$ref": "#/responses/notFound"
// "405":
// "$ref": "#/responses/empty"
// "409":
// "$ref": "#/responses/conflict"
tagName := ctx.Params("*")
Expand All @@ -256,7 +265,12 @@ func DeleteTag(ctx *context.APIContext) {
}

if err = releaseservice.DeleteReleaseByID(ctx, tag.ID, ctx.Doer, true); err != nil {
if models.IsErrProtectedTagName(err) {
ctx.Error(http.StatusMethodNotAllowed, "delTag", "user not allowed to delete protected tag")
return
}
ctx.Error(http.StatusInternalServerError, "DeleteReleaseByID", err)
return
}

ctx.Status(http.StatusNoContent)
Expand Down
6 changes: 6 additions & 0 deletions routers/web/repo/branch.go
Original file line number Diff line number Diff line change
Expand Up @@ -373,6 +373,12 @@ func CreateBranch(ctx *context.Context) {
err = repo_service.CreateNewBranchFromCommit(ctx, ctx.Doer, ctx.Repo.Repository, ctx.Repo.CommitID, form.NewBranchName)
}
if err != nil {
if models.IsErrProtectedTagName(err) {
ctx.Flash.Error(ctx.Tr("repo.release.tag_name_protected"))
ctx.Redirect(ctx.Repo.RepoLink + "/src/" + ctx.Repo.BranchNameSubURL())
return
}

if models.IsErrTagAlreadyExists(err) {
e := err.(models.ErrTagAlreadyExists)
ctx.Flash.Error(ctx.Tr("repo.branch.tag_collision", e.TagName))
Expand Down
6 changes: 5 additions & 1 deletion routers/web/repo/release.go
Original file line number Diff line number Diff line change
Expand Up @@ -519,7 +519,11 @@ func DeleteTag(ctx *context.Context) {

func deleteReleaseOrTag(ctx *context.Context, isDelTag bool) {
if err := releaseservice.DeleteReleaseByID(ctx, ctx.FormInt64("id"), ctx.Doer, isDelTag); err != nil {
ctx.Flash.Error("DeleteReleaseByID: " + err.Error())
if models.IsErrProtectedTagName(err) {
ctx.Flash.Error(ctx.Tr("repo.release.tag_name_protected"))
} else {
ctx.Flash.Error("DeleteReleaseByID: " + err.Error())
}
} else {
if isDelTag {
ctx.Flash.Success(ctx.Tr("repo.release.deletion_tag_success"))
Expand Down
14 changes: 14 additions & 0 deletions services/release/release.go
Original file line number Diff line number Diff line change
Expand Up @@ -294,6 +294,20 @@ func DeleteReleaseByID(ctx context.Context, id int64, doer *user_model.User, del
}

if delTag {
protectedTags, err := git_model.GetProtectedTags(rel.RepoID)
if err != nil {
return fmt.Errorf("GetProtectedTags: %v", err)
}
isAllowed, err := git_model.IsUserAllowedToControlTag(protectedTags, rel.TagName, rel.PublisherID)
if err != nil {
return err
}
if !isAllowed {
return models.ErrProtectedTagName{
TagName: rel.TagName,
}
}

if stdout, _, err := git.NewCommand(ctx, "tag", "-d", rel.TagName).
SetDescription(fmt.Sprintf("DeleteReleaseByID (git tag -d): %d", rel.ID)).
RunStdString(&git.RunOpts{Dir: repo.RepoPath()}); err != nil && !strings.Contains(err.Error(), "not found") {
Expand Down
12 changes: 12 additions & 0 deletions templates/swagger/v1_json.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -8960,6 +8960,9 @@
},
"404": {
"$ref": "#/responses/notFound"
},
"405": {
"$ref": "#/responses/empty"
}
}
}
Expand Down Expand Up @@ -9043,6 +9046,9 @@
},
"404": {
"$ref": "#/responses/notFound"
},
"405": {
"$ref": "#/responses/empty"
}
}
},
Expand Down Expand Up @@ -9811,6 +9817,9 @@
"404": {
"$ref": "#/responses/notFound"
},
"405": {
"$ref": "#/responses/empty"
},
"409": {
"$ref": "#/responses/conflict"
}
Expand Down Expand Up @@ -9898,6 +9907,9 @@
"404": {
"$ref": "#/responses/notFound"
},
"405": {
"$ref": "#/responses/empty"
},
"409": {
"$ref": "#/responses/conflict"
}
Expand Down