fix permission check for delete tag (#19985) (#20001)

fix #19970

by the way, fix some error response about protected tags.

Signed-off-by: a1012112796 <1012112796@qq.com>
pull/20025/head
a1012112796 2022-06-18 05:52:47 +08:00 committed by GitHub
parent ae91913132
commit 4b7f0c6c38
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 64 additions and 1 deletions

View File

@ -344,6 +344,8 @@ func DeleteRelease(ctx *context.APIContext) {
// "$ref": "#/responses/empty" // "$ref": "#/responses/empty"
// "404": // "404":
// "$ref": "#/responses/notFound" // "$ref": "#/responses/notFound"
// "405":
// "$ref": "#/responses/empty"
id := ctx.ParamsInt64(":id") id := ctx.ParamsInt64(":id")
rel, err := models.GetReleaseByID(id) rel, err := models.GetReleaseByID(id)
@ -357,6 +359,10 @@ func DeleteRelease(ctx *context.APIContext) {
return return
} }
if err := releaseservice.DeleteReleaseByID(id, ctx.User, false); err != nil { if err := releaseservice.DeleteReleaseByID(id, ctx.User, false); err != nil {
if models.IsErrProtectedTagName(err) {
ctx.Error(http.StatusMethodNotAllowed, "delTag", "user not allowed to delete protected tag")
return
}
ctx.Error(http.StatusInternalServerError, "DeleteReleaseByID", err) ctx.Error(http.StatusInternalServerError, "DeleteReleaseByID", err)
return return
} }

View File

@ -92,6 +92,8 @@ func DeleteReleaseByTag(ctx *context.APIContext) {
// "$ref": "#/responses/empty" // "$ref": "#/responses/empty"
// "404": // "404":
// "$ref": "#/responses/notFound" // "$ref": "#/responses/notFound"
// "405":
// "$ref": "#/responses/empty"
tag := ctx.Params(":tag") tag := ctx.Params(":tag")
@ -111,7 +113,12 @@ func DeleteReleaseByTag(ctx *context.APIContext) {
} }
if err = releaseservice.DeleteReleaseByID(release.ID, ctx.User, false); err != nil { if err = releaseservice.DeleteReleaseByID(release.ID, ctx.User, false); err != nil {
if models.IsErrProtectedTagName(err) {
ctx.Error(http.StatusMethodNotAllowed, "delTag", "user not allowed to delete protected tag")
return
}
ctx.Error(http.StatusInternalServerError, "DeleteReleaseByID", err) ctx.Error(http.StatusInternalServerError, "DeleteReleaseByID", err)
return
} }
ctx.Status(http.StatusNoContent) ctx.Status(http.StatusNoContent)

View File

@ -176,6 +176,8 @@ func CreateTag(ctx *context.APIContext) {
// "$ref": "#/responses/Tag" // "$ref": "#/responses/Tag"
// "404": // "404":
// "$ref": "#/responses/notFound" // "$ref": "#/responses/notFound"
// "405":
// "$ref": "#/responses/empty"
// "409": // "409":
// "$ref": "#/responses/conflict" // "$ref": "#/responses/conflict"
form := web.GetForm(ctx).(*api.CreateTagOption) form := web.GetForm(ctx).(*api.CreateTagOption)
@ -196,6 +198,11 @@ func CreateTag(ctx *context.APIContext) {
ctx.Error(http.StatusConflict, "tag exist", err) ctx.Error(http.StatusConflict, "tag exist", err)
return return
} }
if models.IsErrProtectedTagName(err) {
ctx.Error(http.StatusMethodNotAllowed, "CreateNewTag", "user not allowed to create protected tag")
return
}
ctx.InternalServerError(err) ctx.InternalServerError(err)
return return
} }
@ -236,6 +243,8 @@ func DeleteTag(ctx *context.APIContext) {
// "$ref": "#/responses/empty" // "$ref": "#/responses/empty"
// "404": // "404":
// "$ref": "#/responses/notFound" // "$ref": "#/responses/notFound"
// "405":
// "$ref": "#/responses/empty"
// "409": // "409":
// "$ref": "#/responses/conflict" // "$ref": "#/responses/conflict"
tagName := ctx.Params("*") tagName := ctx.Params("*")
@ -256,7 +265,12 @@ func DeleteTag(ctx *context.APIContext) {
} }
if err = releaseservice.DeleteReleaseByID(tag.ID, ctx.User, true); err != nil { if err = releaseservice.DeleteReleaseByID(tag.ID, ctx.User, true); err != nil {
if models.IsErrProtectedTagName(err) {
ctx.Error(http.StatusMethodNotAllowed, "delTag", "user not allowed to delete protected tag")
return
}
ctx.Error(http.StatusInternalServerError, "DeleteReleaseByID", err) ctx.Error(http.StatusInternalServerError, "DeleteReleaseByID", err)
return
} }
ctx.Status(http.StatusNoContent) ctx.Status(http.StatusNoContent)

View File

@ -370,6 +370,12 @@ func CreateBranch(ctx *context.Context) {
err = repo_service.CreateNewBranchFromCommit(ctx.User, ctx.Repo.Repository, ctx.Repo.CommitID, form.NewBranchName) err = repo_service.CreateNewBranchFromCommit(ctx.User, ctx.Repo.Repository, ctx.Repo.CommitID, form.NewBranchName)
} }
if err != nil { if err != nil {
if models.IsErrProtectedTagName(err) {
ctx.Flash.Error(ctx.Tr("repo.release.tag_name_protected"))
ctx.Redirect(ctx.Repo.RepoLink + "/src/" + ctx.Repo.BranchNameSubURL())
return
}
if models.IsErrTagAlreadyExists(err) { if models.IsErrTagAlreadyExists(err) {
e := err.(models.ErrTagAlreadyExists) e := err.(models.ErrTagAlreadyExists)
ctx.Flash.Error(ctx.Tr("repo.branch.tag_collision", e.TagName)) ctx.Flash.Error(ctx.Tr("repo.branch.tag_collision", e.TagName))

View File

@ -519,7 +519,11 @@ func DeleteTag(ctx *context.Context) {
func deleteReleaseOrTag(ctx *context.Context, isDelTag bool) { func deleteReleaseOrTag(ctx *context.Context, isDelTag bool) {
if err := releaseservice.DeleteReleaseByID(ctx.FormInt64("id"), ctx.User, isDelTag); err != nil { if err := releaseservice.DeleteReleaseByID(ctx.FormInt64("id"), ctx.User, isDelTag); err != nil {
ctx.Flash.Error("DeleteReleaseByID: " + err.Error()) if models.IsErrProtectedTagName(err) {
ctx.Flash.Error(ctx.Tr("repo.release.tag_name_protected"))
} else {
ctx.Flash.Error("DeleteReleaseByID: " + err.Error())
}
} else { } else {
if isDelTag { if isDelTag {
ctx.Flash.Success(ctx.Tr("repo.release.deletion_tag_success")) ctx.Flash.Success(ctx.Tr("repo.release.deletion_tag_success"))

View File

@ -295,6 +295,20 @@ func DeleteReleaseByID(id int64, doer *user_model.User, delTag bool) error {
} }
if delTag { if delTag {
protectedTags, err := models.GetProtectedTags(rel.RepoID)
if err != nil {
return fmt.Errorf("GetProtectedTags: %v", err)
}
isAllowed, err := models.IsUserAllowedToControlTag(protectedTags, rel.TagName, rel.PublisherID)
if err != nil {
return err
}
if !isAllowed {
return models.ErrProtectedTagName{
TagName: rel.TagName,
}
}
if stdout, err := git.NewCommand("tag", "-d", rel.TagName). if stdout, err := git.NewCommand("tag", "-d", rel.TagName).
SetDescription(fmt.Sprintf("DeleteReleaseByID (git tag -d): %d", rel.ID)). SetDescription(fmt.Sprintf("DeleteReleaseByID (git tag -d): %d", rel.ID)).
RunInDir(repo.RepoPath()); err != nil && !strings.Contains(err.Error(), "not found") { RunInDir(repo.RepoPath()); err != nil && !strings.Contains(err.Error(), "not found") {

View File

@ -8515,6 +8515,9 @@
}, },
"404": { "404": {
"$ref": "#/responses/notFound" "$ref": "#/responses/notFound"
},
"405": {
"$ref": "#/responses/empty"
} }
} }
} }
@ -8598,6 +8601,9 @@
}, },
"404": { "404": {
"$ref": "#/responses/notFound" "$ref": "#/responses/notFound"
},
"405": {
"$ref": "#/responses/empty"
} }
} }
}, },
@ -9366,6 +9372,9 @@
"404": { "404": {
"$ref": "#/responses/notFound" "$ref": "#/responses/notFound"
}, },
"405": {
"$ref": "#/responses/empty"
},
"409": { "409": {
"$ref": "#/responses/conflict" "$ref": "#/responses/conflict"
} }
@ -9453,6 +9462,9 @@
"404": { "404": {
"$ref": "#/responses/notFound" "$ref": "#/responses/notFound"
}, },
"405": {
"$ref": "#/responses/empty"
},
"409": { "409": {
"$ref": "#/responses/conflict" "$ref": "#/responses/conflict"
} }