From 467ff4d34302f6ecab959d61bf3944a2bdf125d0 Mon Sep 17 00:00:00 2001 From: Jonas Franz Date: Tue, 19 Jun 2018 17:15:11 +0200 Subject: [PATCH] Fix milestone appliance and permission checks (#4271) * Fix milestone appliance Fix missing permission check Signed-off-by: Jonas Franz * Fix comment * Add Gitea copyright line --- routers/api/v1/repo/issue.go | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/routers/api/v1/repo/issue.go b/routers/api/v1/repo/issue.go index 211d8045a45b..7be39166d28a 100644 --- a/routers/api/v1/repo/issue.go +++ b/routers/api/v1/repo/issue.go @@ -1,4 +1,5 @@ // Copyright 2016 The Gogs Authors. All rights reserved. +// Copyright 2018 The Gitea Authors. All rights reserved. // Use of this source code is governed by a MIT-style // license that can be found in the LICENSE file. @@ -165,7 +166,7 @@ func CreateIssue(ctx *context.APIContext, form api.CreateIssueOption) { // "$ref": "#/responses/Issue" var deadlineUnix util.TimeStamp - if form.Deadline != nil { + if form.Deadline != nil && ctx.Repo.IsWriter() { deadlineUnix = util.TimeStamp(form.Deadline.Unix()) } @@ -178,15 +179,22 @@ func CreateIssue(ctx *context.APIContext, form api.CreateIssueOption) { DeadlineUnix: deadlineUnix, } - // Get all assignee IDs - assigneeIDs, err := models.MakeIDsFromAPIAssigneesToAdd(form.Assignee, form.Assignees) - if err != nil { - if models.IsErrUserNotExist(err) { - ctx.Error(422, "", fmt.Sprintf("Assignee does not exist: [name: %s]", err)) - } else { - ctx.Error(500, "AddAssigneeByName", err) + var assigneeIDs = make([]int64, 0) + var err error + if ctx.Repo.IsWriter() { + issue.MilestoneID = form.Milestone + assigneeIDs, err = models.MakeIDsFromAPIAssigneesToAdd(form.Assignee, form.Assignees) + if err != nil { + if models.IsErrUserNotExist(err) { + ctx.Error(422, "", fmt.Sprintf("Assignee does not exist: [name: %s]", err)) + } else { + ctx.Error(500, "AddAssigneeByName", err) + } + return } - return + } else { + // setting labels is not allowed if user is not a writer + form.Labels = make([]int64, 0) } if err := models.NewIssue(ctx.Repo.Repository, issue, form.Labels, assigneeIDs, nil); err != nil {