Description
- Gitea version (or commit ref): 1.10.0+dev-326-gc05b89a5a
- Can you reproduce the bug at https://try.gitea.io:
- Yes (provide example URL)
- No
- Not relevant
Description
I have 2 repos: test and onemore. In the onemore repo I have a release ID 3281927. test has no releases.
Using the API I can upload a file to a release. This works great:
curl -X POST "https://bobemoe:xxx@try.gitea.io/api/v1/repos/bobemoe/onemore/releases/3281927/assets?name=test" -H "accept: application/json" -H "Content-Type: multipart/form-data" -F "attachment=@/home/bob/Downloads/Testing-2-150x150.png;type=image/png"
However if I get the wrong repo name, test rather than onemore it still uploads to the release in onemore Maybe there should be a permission check to make sure the release is part of the repo specified:
curl -X POST "https://bobemoe:xxx@try.gitea.io/api/v1/repos/bobemoe/test/releases/3281927/assets?name=test" -H "accept: application/json" -H "Content-Type: multipart/form-data" -F "attachment=@/home/bob/Downloads/Testing-2-150x150.png;type=image/png"
Additionally I can upload to a release that is probably owned by someone else: release 3281920!!
curl -X POST "https://bobemoe:xxx@try.gitea.io/api/v1/repos/bobemoe/test/releases/3281920/assets?name=test" -H "accept: application/json" -H "Content-Type: multipart/form-data" -F "attachment=@/home/bob/Downloads/Testing-2-150x150.png;type=image/png"
The file uploaded fine: https://try.gitea.io/attachments/182c448c-b3dc-41b0-b649-518819950ec2 but I have no idea whos repo/release that went to! cough :/