From e3e06d13afdd882ca5934fde77217ff9554354c4 Mon Sep 17 00:00:00 2001 From: a1012112796 <1012112796@qq.com> Date: Fri, 17 Jun 2022 04:03:03 +0800 Subject: [PATCH] fix permission check for delete tag (#19985) fix #19970 by the way, fix some error response about protected tags. Signed-off-by: a1012112796 <1012112796@qq.com> --- routers/api/v1/repo/release.go | 6 ++++++ routers/api/v1/repo/release_tags.go | 7 +++++++ routers/api/v1/repo/tag.go | 14 ++++++++++++++ routers/web/repo/branch.go | 6 ++++++ routers/web/repo/release.go | 6 +++++- services/release/release.go | 14 ++++++++++++++ templates/swagger/v1_json.tmpl | 12 ++++++++++++ 7 files changed, 64 insertions(+), 1 deletion(-) diff --git a/routers/api/v1/repo/release.go b/routers/api/v1/repo/release.go index e454b418bb182..8dfe7e06d26f8 100644 --- a/routers/api/v1/repo/release.go +++ b/routers/api/v1/repo/release.go @@ -345,6 +345,8 @@ func DeleteRelease(ctx *context.APIContext) { // "$ref": "#/responses/empty" // "404": // "$ref": "#/responses/notFound" + // "405": + // "$ref": "#/responses/empty" id := ctx.ParamsInt64(":id") rel, err := models.GetReleaseByID(ctx, id) @@ -358,6 +360,10 @@ func DeleteRelease(ctx *context.APIContext) { return } if err := release_service.DeleteReleaseByID(ctx, id, ctx.Doer, false); err != nil { + if models.IsErrProtectedTagName(err) { + ctx.Error(http.StatusMethodNotAllowed, "delTag", "user not allowed to delete protected tag") + return + } ctx.Error(http.StatusInternalServerError, "DeleteReleaseByID", err) return } diff --git a/routers/api/v1/repo/release_tags.go b/routers/api/v1/repo/release_tags.go index a737bcf1c8f4c..73dee73e1a743 100644 --- a/routers/api/v1/repo/release_tags.go +++ b/routers/api/v1/repo/release_tags.go @@ -92,6 +92,8 @@ func DeleteReleaseByTag(ctx *context.APIContext) { // "$ref": "#/responses/empty" // "404": // "$ref": "#/responses/notFound" + // "405": + // "$ref": "#/responses/empty" tag := ctx.Params(":tag") @@ -111,7 +113,12 @@ func DeleteReleaseByTag(ctx *context.APIContext) { } if err = releaseservice.DeleteReleaseByID(ctx, release.ID, ctx.Doer, false); err != nil { + if models.IsErrProtectedTagName(err) { + ctx.Error(http.StatusMethodNotAllowed, "delTag", "user not allowed to delete protected tag") + return + } ctx.Error(http.StatusInternalServerError, "DeleteReleaseByID", err) + return } ctx.Status(http.StatusNoContent) diff --git a/routers/api/v1/repo/tag.go b/routers/api/v1/repo/tag.go index 894291275400b..433d823c7ebc0 100644 --- a/routers/api/v1/repo/tag.go +++ b/routers/api/v1/repo/tag.go @@ -176,6 +176,8 @@ func CreateTag(ctx *context.APIContext) { // "$ref": "#/responses/Tag" // "404": // "$ref": "#/responses/notFound" + // "405": + // "$ref": "#/responses/empty" // "409": // "$ref": "#/responses/conflict" form := web.GetForm(ctx).(*api.CreateTagOption) @@ -196,6 +198,11 @@ func CreateTag(ctx *context.APIContext) { ctx.Error(http.StatusConflict, "tag exist", err) return } + if models.IsErrProtectedTagName(err) { + ctx.Error(http.StatusMethodNotAllowed, "CreateNewTag", "user not allowed to create protected tag") + return + } + ctx.InternalServerError(err) return } @@ -236,6 +243,8 @@ func DeleteTag(ctx *context.APIContext) { // "$ref": "#/responses/empty" // "404": // "$ref": "#/responses/notFound" + // "405": + // "$ref": "#/responses/empty" // "409": // "$ref": "#/responses/conflict" tagName := ctx.Params("*") @@ -256,7 +265,12 @@ func DeleteTag(ctx *context.APIContext) { } if err = releaseservice.DeleteReleaseByID(ctx, tag.ID, ctx.Doer, true); err != nil { + if models.IsErrProtectedTagName(err) { + ctx.Error(http.StatusMethodNotAllowed, "delTag", "user not allowed to delete protected tag") + return + } ctx.Error(http.StatusInternalServerError, "DeleteReleaseByID", err) + return } ctx.Status(http.StatusNoContent) diff --git a/routers/web/repo/branch.go b/routers/web/repo/branch.go index 4bd2af4e8e4da..84970a96a10dd 100644 --- a/routers/web/repo/branch.go +++ b/routers/web/repo/branch.go @@ -373,6 +373,12 @@ func CreateBranch(ctx *context.Context) { err = repo_service.CreateNewBranchFromCommit(ctx, ctx.Doer, ctx.Repo.Repository, ctx.Repo.CommitID, form.NewBranchName) } if err != nil { + if models.IsErrProtectedTagName(err) { + ctx.Flash.Error(ctx.Tr("repo.release.tag_name_protected")) + ctx.Redirect(ctx.Repo.RepoLink + "/src/" + ctx.Repo.BranchNameSubURL()) + return + } + if models.IsErrTagAlreadyExists(err) { e := err.(models.ErrTagAlreadyExists) ctx.Flash.Error(ctx.Tr("repo.branch.tag_collision", e.TagName)) diff --git a/routers/web/repo/release.go b/routers/web/repo/release.go index fba3ef7a064cc..666294631ced5 100644 --- a/routers/web/repo/release.go +++ b/routers/web/repo/release.go @@ -519,7 +519,11 @@ func DeleteTag(ctx *context.Context) { func deleteReleaseOrTag(ctx *context.Context, isDelTag bool) { if err := releaseservice.DeleteReleaseByID(ctx, ctx.FormInt64("id"), ctx.Doer, isDelTag); err != nil { - ctx.Flash.Error("DeleteReleaseByID: " + err.Error()) + if models.IsErrProtectedTagName(err) { + ctx.Flash.Error(ctx.Tr("repo.release.tag_name_protected")) + } else { + ctx.Flash.Error("DeleteReleaseByID: " + err.Error()) + } } else { if isDelTag { ctx.Flash.Success(ctx.Tr("repo.release.deletion_tag_success")) diff --git a/services/release/release.go b/services/release/release.go index a3d7d47201d02..6fa966de1f352 100644 --- a/services/release/release.go +++ b/services/release/release.go @@ -294,6 +294,20 @@ func DeleteReleaseByID(ctx context.Context, id int64, doer *user_model.User, del } if delTag { + protectedTags, err := git_model.GetProtectedTags(rel.RepoID) + if err != nil { + return fmt.Errorf("GetProtectedTags: %v", err) + } + isAllowed, err := git_model.IsUserAllowedToControlTag(protectedTags, rel.TagName, rel.PublisherID) + if err != nil { + return err + } + if !isAllowed { + return models.ErrProtectedTagName{ + TagName: rel.TagName, + } + } + if stdout, _, err := git.NewCommand(ctx, "tag", "-d", rel.TagName). SetDescription(fmt.Sprintf("DeleteReleaseByID (git tag -d): %d", rel.ID)). RunStdString(&git.RunOpts{Dir: repo.RepoPath()}); err != nil && !strings.Contains(err.Error(), "not found") { diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl index ecc17b51c8af1..4da8b12af4bb1 100644 --- a/templates/swagger/v1_json.tmpl +++ b/templates/swagger/v1_json.tmpl @@ -8960,6 +8960,9 @@ }, "404": { "$ref": "#/responses/notFound" + }, + "405": { + "$ref": "#/responses/empty" } } } @@ -9043,6 +9046,9 @@ }, "404": { "$ref": "#/responses/notFound" + }, + "405": { + "$ref": "#/responses/empty" } } }, @@ -9811,6 +9817,9 @@ "404": { "$ref": "#/responses/notFound" }, + "405": { + "$ref": "#/responses/empty" + }, "409": { "$ref": "#/responses/conflict" } @@ -9898,6 +9907,9 @@ "404": { "$ref": "#/responses/notFound" }, + "405": { + "$ref": "#/responses/empty" + }, "409": { "$ref": "#/responses/conflict" }