Fix issue label deletion with Actions tokens (#37013)

Use shared repo permission resolution for Actions task users in issue
label remove and clear paths, and add a regression test for deleting
issue labels with a Gitea Actions token.

This fixes issue label deletion when the request is authenticated with a
Gitea Actions token.
Fixes #37011 

The bug was that the delete path re-resolved repository permissions
using the normal user permission helper, which does not handle Actions
task users. As a result, `DELETE
/api/v1/repos/{owner}/{repo}/issues/{index}/labels/{id}` could return
`500` for Actions tokens even though label listing and label addition
worked.

---------

Co-authored-by: Codex <codex@openai.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Giteabot <teabot@gitea.io>
This commit is contained in:
Nicolas
2026-03-29 11:21:14 +02:00
committed by GitHub
parent a1b0bffd0c
commit db7eb4d51b
61 changed files with 268 additions and 181 deletions
+14 -14
View File
@@ -47,7 +47,7 @@ func (n *actionsNotifier) NewIssue(ctx context.Context, issue *issues_model.Issu
log.Error("issue.LoadPoster: %v", err)
return
}
permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, issue.Poster)
permission, _ := access_model.GetIndividualUserRepoPermission(ctx, issue.Repo, issue.Poster)
newNotifyInputFromIssue(issue, webhook_module.HookEventIssues).WithPayload(&api.IssuePayload{
Action: api.HookIssueOpened,
@@ -76,7 +76,7 @@ func (n *actionsNotifier) notifyIssueChangeWithTitleOrContent(ctx context.Contex
return
}
permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, issue.Poster)
permission, _ := access_model.GetIndividualUserRepoPermission(ctx, issue.Repo, issue.Poster)
if issue.IsPull {
if err = issue.LoadPullRequest(ctx); err != nil {
log.Error("loadPullRequest: %v", err)
@@ -110,7 +110,7 @@ func (n *actionsNotifier) notifyIssueChangeWithTitleOrContent(ctx context.Contex
// IssueChangeStatus notifies close or reopen issue to notifiers
func (n *actionsNotifier) IssueChangeStatus(ctx context.Context, doer *user_model.User, commitID string, issue *issues_model.Issue, _ *issues_model.Comment, isClosed bool) {
ctx = withMethod(ctx, "IssueChangeStatus")
permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, issue.Poster)
permission, _ := access_model.GetIndividualUserRepoPermission(ctx, issue.Repo, issue.Poster)
if issue.IsPull {
if err := issue.LoadPullRequest(ctx); err != nil {
log.Error("LoadPullRequest: %v", err)
@@ -259,7 +259,7 @@ func notifyIssueChange(ctx context.Context, doer *user_model.User, issue *issues
return
}
permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, issue.Poster)
permission, _ := access_model.GetIndividualUserRepoPermission(ctx, issue.Repo, issue.Poster)
payload := &api.IssuePayload{
Action: action,
Index: issue.Index,
@@ -322,7 +322,7 @@ func notifyIssueCommentChange(ctx context.Context, doer *user_model.User, commen
return
}
permission, _ := access_model.GetUserRepoPermission(ctx, comment.Issue.Repo, doer)
permission, _ := access_model.GetDoerRepoPermission(ctx, comment.Issue.Repo, doer)
payload := &api.IssueCommentPayload{
Action: action,
@@ -376,7 +376,7 @@ func (n *actionsNotifier) NewPullRequest(ctx context.Context, pull *issues_model
return
}
permission, _ := access_model.GetUserRepoPermission(ctx, pull.Issue.Repo, pull.Issue.Poster)
permission, _ := access_model.GetIndividualUserRepoPermission(ctx, pull.Issue.Repo, pull.Issue.Poster)
newNotifyInputFromIssue(pull.Issue, webhook_module.HookEventPullRequest).
WithPayload(&api.PullRequestPayload{
@@ -404,8 +404,8 @@ func (n *actionsNotifier) CreateRepository(ctx context.Context, doer, u *user_mo
func (n *actionsNotifier) ForkRepository(ctx context.Context, doer *user_model.User, oldRepo, repo *repo_model.Repository) {
ctx = withMethod(ctx, "ForkRepository")
oldPermission, _ := access_model.GetUserRepoPermission(ctx, oldRepo, doer)
permission, _ := access_model.GetUserRepoPermission(ctx, repo, doer)
oldPermission, _ := access_model.GetDoerRepoPermission(ctx, oldRepo, doer)
permission, _ := access_model.GetDoerRepoPermission(ctx, repo, doer)
// forked webhook
newNotifyInput(oldRepo, doer, webhook_module.HookEventFork).WithPayload(&api.ForkPayload{
@@ -452,9 +452,9 @@ func (n *actionsNotifier) PullRequestReview(ctx context.Context, pr *issues_mode
return
}
permission, err := access_model.GetUserRepoPermission(ctx, review.Issue.Repo, review.Issue.Poster)
permission, err := access_model.GetIndividualUserRepoPermission(ctx, review.Issue.Repo, review.Issue.Poster)
if err != nil {
log.Error("models.GetUserRepoPermission: %v", err)
log.Error("models.GetIndividualUserRepoPermission: %v", err)
return
}
@@ -481,7 +481,7 @@ func (n *actionsNotifier) PullRequestReviewRequest(ctx context.Context, doer *us
ctx = withMethod(ctx, "PullRequestReviewRequest")
permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, doer)
permission, _ := access_model.GetDoerRepoPermission(ctx, issue.Repo, doer)
if err := issue.LoadPullRequest(ctx); err != nil {
log.Error("LoadPullRequest failed: %v", err)
return
@@ -525,9 +525,9 @@ func (*actionsNotifier) MergePullRequest(ctx context.Context, doer *user_model.U
return
}
permission, err := access_model.GetUserRepoPermission(ctx, pr.Issue.Repo, doer)
permission, err := access_model.GetDoerRepoPermission(ctx, pr.Issue.Repo, doer)
if err != nil {
log.Error("models.GetUserRepoPermission: %v", err)
log.Error("models.GetDoerRepoPermission: %v", err)
return
}
@@ -723,7 +723,7 @@ func (n *actionsNotifier) PullRequestChangeTargetBranch(ctx context.Context, doe
return
}
permission, _ := access_model.GetUserRepoPermission(ctx, pr.Issue.Repo, pr.Issue.Poster)
permission, _ := access_model.GetIndividualUserRepoPermission(ctx, pr.Issue.Repo, pr.Issue.Poster)
newNotifyInput(pr.Issue.Repo, doer, webhook_module.HookEventPullRequest).
WithPayload(&api.PullRequestPayload{
Action: api.HookIssueEdited,
+3 -3
View File
@@ -362,7 +362,7 @@ func notifyRelease(ctx context.Context, doer *user_model.User, rel *repo_model.R
return
}
permission, _ := access_model.GetUserRepoPermission(ctx, rel.Repo, doer)
permission, _ := access_model.GetDoerRepoPermission(ctx, rel.Repo, doer)
newNotifyInput(rel.Repo, doer, webhook_module.HookEventRelease).
WithRef(git.RefNameFromTag(rel.TagName).String()).
@@ -413,8 +413,8 @@ func ifNeedApproval(ctx context.Context, run *actions_model.ActionRun, repo *rep
}
// don't need approval if the user can write
if perm, err := access_model.GetUserRepoPermission(ctx, repo, user); err != nil {
return false, fmt.Errorf("GetUserRepoPermission: %w", err)
if perm, err := access_model.GetDoerRepoPermission(ctx, repo, user); err != nil {
return false, fmt.Errorf("GetDoerRepoPermission: %w", err)
} else if perm.CanWrite(unit_model.TypeActions) {
log.Trace("do not need approval because user %d can write", user.ID)
return false, nil
+2 -2
View File
@@ -245,9 +245,9 @@ func handlePullRequestAutoMerge(pullID int64, sha string) {
return
}
perm, err := access_model.GetUserRepoPermission(ctx, pr.BaseRepo, doer)
perm, err := access_model.GetDoerRepoPermission(ctx, pr.BaseRepo, doer)
if err != nil {
log.Error("GetUserRepoPermission %-v: %v", pr.BaseRepo, err)
log.Error("GetDoerRepoPermission %-v: %v", pr.BaseRepo, err)
return
}
+4 -4
View File
@@ -344,9 +344,9 @@ func RetrieveTemplateRepo(ctx *Context, repo *repo_model.Repository) {
return
}
perm, err := access_model.GetUserRepoPermission(ctx, templateRepo, ctx.Doer)
perm, err := access_model.GetDoerRepoPermission(ctx, templateRepo, ctx.Doer)
if err != nil {
ctx.ServerError("GetUserRepoPermission", err)
ctx.ServerError("GetDoerRepoPermission", err)
return
}
@@ -421,9 +421,9 @@ func repoAssignment(ctx *Context, repo *repo_model.Repository) {
if ctx.DoerNeedTwoFactorAuth() {
ctx.Repo.Permission = access_model.PermissionNoAccess()
} else {
ctx.Repo.Permission, err = access_model.GetUserRepoPermission(ctx, repo, ctx.Doer)
ctx.Repo.Permission, err = access_model.GetDoerRepoPermission(ctx, repo, ctx.Doer)
if err != nil {
ctx.ServerError("GetUserRepoPermission", err)
ctx.ServerError("GetDoerRepoPermission", err)
return
}
}
+1 -1
View File
@@ -125,7 +125,7 @@ func LoadRepo(t *testing.T, ctx gocontext.Context, repoID int64) {
repo.Owner, err = user_model.GetUserByID(ctx, repo.Repository.OwnerID)
assert.NoError(t, err)
repo.RepoLink = repo.Repository.Link()
repo.Permission, err = access_model.GetUserRepoPermission(ctx, repo.Repository, doer)
repo.Permission, err = access_model.GetDoerRepoPermission(ctx, repo.Repository, doer)
assert.NoError(t, err)
}
+2 -2
View File
@@ -15,9 +15,9 @@ import (
)
func ToActivity(ctx context.Context, ac *activities_model.Action, doer *user_model.User) *api.Activity {
p, err := access_model.GetUserRepoPermission(ctx, ac.Repo, doer)
p, err := access_model.GetDoerRepoPermission(ctx, ac.Repo, doer)
if err != nil {
log.Error("GetUserRepoPermission[%d]: %v", ac.RepoID, err)
log.Error("GetDoerRepoPermission[%d]: %v", ac.RepoID, err)
p.AccessMode = perm_model.AccessModeNone
}
+2 -2
View File
@@ -72,7 +72,7 @@ func ToBranch(ctx context.Context, repo *repo_model.Repository, branchName strin
return nil, err
}
perms, err := access_model.GetUserRepoPermission(ctx, repo, user)
perms, err := access_model.GetIndividualUserRepoPermission(ctx, repo, user)
if err != nil {
return nil, err
}
@@ -105,7 +105,7 @@ func ToBranch(ctx context.Context, repo *repo_model.Repository, branchName strin
}
if user != nil {
permission, err := access_model.GetUserRepoPermission(ctx, repo, user)
permission, err := access_model.GetIndividualUserRepoPermission(ctx, repo, user)
if err != nil {
return nil, err
}
+2 -2
View File
@@ -200,7 +200,7 @@ func ToStopWatches(ctx context.Context, doer *user_model.User, sws []*issues_mod
// ADD: Check user permissions
perm, ok := permCache[repo.ID]
if !ok {
perm, err = access_model.GetUserRepoPermission(ctx, repo, doer)
perm, err = access_model.GetDoerRepoPermission(ctx, repo, doer)
if err != nil {
continue
}
@@ -234,7 +234,7 @@ func ToTrackedTimeList(ctx context.Context, doer *user_model.User, tl issues_mod
continue
}
perm, err := cache.GetWithEphemeralCache(ctx, permCache, "repo-perm", t.Issue.RepoID, func(ctx context.Context, repoID int64) (access_model.Permission, error) {
return access_model.GetUserRepoPermission(ctx, t.Issue.Repo, doer)
return access_model.GetDoerRepoPermission(ctx, t.Issue.Repo, doer)
})
if err != nil {
continue
+2 -2
View File
@@ -25,9 +25,9 @@ func ToNotificationThread(ctx context.Context, n *activities_model.Notification)
// since user only get notifications when he has access to use minimal access mode
if n.Repository != nil {
perm, err := access_model.GetUserRepoPermission(ctx, n.Repository, n.User)
perm, err := access_model.GetIndividualUserRepoPermission(ctx, n.Repository, n.User)
if err != nil {
log.Error("GetUserRepoPermission failed: %v", err)
log.Error("GetIndividualUserRepoPermission failed: %v", err)
return result
}
if perm.HasAnyUnitAccessOrPublicAccess() { // if user has been revoked access to repo, do not show repo info
+1 -1
View File
@@ -16,7 +16,7 @@ import (
func ToPackage(ctx context.Context, pd *packages.PackageDescriptor, doer *user_model.User) (*api.Package, error) {
var repo *api.Repository
if pd.Repository != nil {
permission, err := access_model.GetUserRepoPermission(ctx, pd.Repository, doer)
permission, err := access_model.GetDoerRepoPermission(ctx, pd.Repository, doer)
if err != nil {
return nil, err
}
+8 -8
View File
@@ -63,11 +63,11 @@ func ToAPIPullRequest(ctx context.Context, pr *issues_model.PullRequest, doer *u
repoUserPerm, err := cache.GetWithContextCache(ctx, cachegroup.RepoUserPermission, fmt.Sprintf("%d-%d", pr.BaseRepoID, doerID),
func(ctx context.Context, _ string) (access_model.Permission, error) {
return access_model.GetUserRepoPermission(ctx, pr.BaseRepo, doer)
return access_model.GetDoerRepoPermission(ctx, pr.BaseRepo, doer)
},
)
if err != nil {
log.Error("GetUserRepoPermission[%d]: %v", pr.BaseRepoID, err)
log.Error("GetDoerRepoPermission[%d]: %v", pr.BaseRepoID, err)
repoUserPerm.AccessMode = perm.AccessModeNone
}
@@ -181,9 +181,9 @@ func ToAPIPullRequest(ctx context.Context, pr *issues_model.PullRequest, doer *u
}
if pr.HeadRepo != nil && pr.Flow == issues_model.PullRequestFlowGithub {
p, err := access_model.GetUserRepoPermission(ctx, pr.HeadRepo, doer)
p, err := access_model.GetDoerRepoPermission(ctx, pr.HeadRepo, doer)
if err != nil {
log.Error("GetUserRepoPermission[%d]: %v", pr.HeadRepoID, err)
log.Error("GetDoerRepoPermission[%d]: %v", pr.HeadRepoID, err)
p.AccessMode = perm.AccessModeNone
}
@@ -334,9 +334,9 @@ func ToAPIPullRequests(ctx context.Context, baseRepo *repo_model.Repository, prs
}
defer gitRepo.Close()
baseRepoPerm, err := access_model.GetUserRepoPermission(ctx, baseRepo, doer)
baseRepoPerm, err := access_model.GetDoerRepoPermission(ctx, baseRepo, doer)
if err != nil {
log.Error("GetUserRepoPermission[%d]: %v", baseRepo.ID, err)
log.Error("GetDoerRepoPermission[%d]: %v", baseRepo.ID, err)
baseRepoPerm.AccessMode = perm.AccessModeNone
}
@@ -435,9 +435,9 @@ func ToAPIPullRequests(ctx context.Context, baseRepo *repo_model.Repository, prs
apiPullRequest.Head.Ref = pr.HeadBranch
}
if pr.HeadRepoID != pr.BaseRepoID {
p, err := access_model.GetUserRepoPermission(ctx, pr.HeadRepo, doer)
p, err := access_model.GetDoerRepoPermission(ctx, pr.HeadRepo, doer)
if err != nil {
log.Error("GetUserRepoPermission[%d]: %v", pr.HeadRepoID, err)
log.Error("GetDoerRepoPermission[%d]: %v", pr.HeadRepoID, err)
p.AccessMode = perm.AccessModeNone
}
apiPullRequest.Head.Repository = ToRepo(ctx, pr.HeadRepo, p)
+1 -1
View File
@@ -132,7 +132,7 @@ func NotifyWatchers(ctx context.Context, acts ...*activities_model.Action) error
permPR[i] = false
continue
}
perm, err := access_model.GetUserRepoPermission(ctx, repo, user)
perm, err := access_model.GetIndividualUserRepoPermission(ctx, repo, user)
if err != nil {
permCode[i] = false
permIssue[i] = false
+2 -2
View File
@@ -103,14 +103,14 @@ func isValidReviewRequest(ctx context.Context, reviewer, doer *user_model.User,
}
}
permReviewer, err := access_model.GetUserRepoPermission(ctx, issue.Repo, reviewer)
permReviewer, err := access_model.GetIndividualUserRepoPermission(ctx, issue.Repo, reviewer)
if err != nil {
return err
}
if permDoer == nil {
permDoer = new(access_model.Permission)
*permDoer, err = access_model.GetUserRepoPermission(ctx, issue.Repo, doer)
*permDoer, err = access_model.GetDoerRepoPermission(ctx, issue.Repo, doer)
if err != nil {
return err
}
+1 -1
View File
@@ -157,7 +157,7 @@ func UpdateIssuesCommit(ctx context.Context, doer *user_model.User, repo *repo_m
continue
}
perm, err := access_model.GetUserRepoPermission(ctx, refRepo, doer)
perm, err := access_model.GetDoerRepoPermission(ctx, refRepo, doer)
if err != nil {
return err
}
+1 -1
View File
@@ -51,7 +51,7 @@ func RemoveLabel(ctx context.Context, issue *issues_model.Issue, doer *user_mode
return err
}
perm, err := access_model.GetUserRepoPermission(ctx, issue.Repo, doer)
perm, err := access_model.GetDoerRepoPermission(ctx, issue.Repo, doer)
if err != nil {
return err
}
+2 -2
View File
@@ -550,9 +550,9 @@ func authenticate(ctx *context.Context, repository *repo_model.Repository, autho
}
// it works for both anonymous request and signed-in user, then perm.CanAccess will do the permission check
perm, err := access_model.GetUserRepoPermission(ctx, repository, ctx.Doer)
perm, err := access_model.GetDoerRepoPermission(ctx, repository, ctx.Doer)
if err != nil {
log.Error("Unable to GetUserRepoPermission for user %-v in repo %-v Error: %v", ctx.Doer, repository, err)
log.Error("Unable to GetDoerRepoPermission for user %-v in repo %-v Error: %v", ctx.Doer, repository, err)
return false
}
+2 -2
View File
@@ -67,7 +67,7 @@ func (h *ReplyHandler) Handle(ctx context.Context, content *MailContent, doer *u
return err
}
perm, err := access_model.GetUserRepoPermission(ctx, issue.Repo, doer)
perm, err := access_model.GetDoerRepoPermission(ctx, issue.Repo, doer)
if err != nil {
return err
}
@@ -171,7 +171,7 @@ func (h *UnsubscribeHandler) Handle(ctx context.Context, _ *MailContent, doer *u
return err
}
perm, err := access_model.GetUserRepoPermission(ctx, issue.Repo, doer)
perm, err := access_model.GetDoerRepoPermission(ctx, issue.Repo, doer)
if err != nil {
return err
}
+1 -1
View File
@@ -42,7 +42,7 @@ func renderRepoFileCodePreview(ctx context.Context, opts markup.RenderCodePrevie
}
doer := webCtx.Doer
perms, err := access.GetUserRepoPermission(ctx, dbRepo, doer)
perms, err := access.GetDoerRepoPermission(ctx, dbRepo, doer)
if err != nil {
return "", err
}
@@ -43,7 +43,7 @@ func renderRepoIssueIconTitle(ctx context.Context, opts markup.RenderIssueIconTi
}
if webCtx.Repo.Repository == nil || dbRepo.ID != webCtx.Repo.Repository.ID {
perms, err := access.GetUserRepoPermission(ctx, dbRepo, webCtx.Doer)
perms, err := access.GetDoerRepoPermission(ctx, dbRepo, webCtx.Doer)
if err != nil {
return "", err
}
+2 -2
View File
@@ -24,7 +24,7 @@ func LinkToRepository(ctx context.Context, pkg *packages_model.Package, repo *re
return util.ErrInvalidArgument
}
perms, err := access_model.GetUserRepoPermission(ctx, repo, doer)
perms, err := access_model.GetDoerRepoPermission(ctx, repo, doer)
if err != nil {
return fmt.Errorf("error getting permissions for user %d on repository %d: %w", doer.ID, repo.ID, err)
}
@@ -48,7 +48,7 @@ func UnlinkFromRepository(ctx context.Context, pkg *packages_model.Package, doer
return fmt.Errorf("error getting repository %d: %w", pkg.RepoID, err)
}
if err == nil {
perms, err := access_model.GetUserRepoPermission(ctx, repo, doer)
perms, err := access_model.GetDoerRepoPermission(ctx, repo, doer)
if err != nil {
return fmt.Errorf("error getting permissions for user %d on repository %d: %w", doer.ID, repo.ID, err)
}
+1 -1
View File
@@ -26,7 +26,7 @@ func SetAllowEdits(ctx context.Context, doer *user_model.User, pr *issues_model.
return err
}
permission, err := access_model.GetUserRepoPermission(ctx, pr.HeadRepo, doer)
permission, err := access_model.GetDoerRepoPermission(ctx, pr.HeadRepo, doer)
if err != nil {
return err
}
+2 -2
View File
@@ -79,7 +79,7 @@ func NewPullRequest(ctx context.Context, opts *NewPullRequestOptions) error {
if err := pr.LoadHeadRepo(ctx); err != nil {
return err
}
perm, err := access_model.GetUserRepoPermission(ctx, pr.HeadRepo, issue.Poster)
perm, err := access_model.GetDoerRepoPermission(ctx, pr.HeadRepo, issue.Poster)
if err != nil {
return err
}
@@ -159,7 +159,7 @@ func NewPullRequest(ctx context.Context, opts *NewPullRequestOptions) error {
// Request reviews, these should be requested before other notifications because they will add request reviews record
// on database
permDoer, err := access_model.GetUserRepoPermission(ctx, repo, issue.Poster)
permDoer, err := access_model.GetDoerRepoPermission(ctx, repo, issue.Poster)
if err != nil {
return err
}
+2 -2
View File
@@ -108,7 +108,7 @@ func isUserAllowedToPushOrForcePushInRepoBranch(ctx context.Context, user *user_
}
// 1. check user push permission on the given repository
repoPerm, err := access_model.GetUserRepoPermission(ctx, repo, user)
repoPerm, err := access_model.GetDoerRepoPermission(ctx, repo, user)
if err != nil {
if repo_model.IsErrUnitTypeNotExist(err) {
return false, false, nil
@@ -166,7 +166,7 @@ func IsUserAllowedToUpdate(ctx context.Context, pull *issues_model.PullRequest,
// 4. if the pull creator allows maintainer to edit, we need to check whether
// user is a maintainer (has permission to merge into base branch) and inherit pull request poster's permission
if pull.AllowMaintainerEdit && (!pushAllowed || !rebaseAllowed) {
baseRepoPerm, err := access_model.GetUserRepoPermission(ctx, pull.BaseRepo, user)
baseRepoPerm, err := access_model.GetDoerRepoPermission(ctx, pull.BaseRepo, user)
if err != nil {
return false, false, err
}
+2 -2
View File
@@ -419,7 +419,7 @@ func RenameBranch(ctx context.Context, repo *repo_model.Repository, doer *user_m
return "", err
}
perm, err := access_model.GetUserRepoPermission(ctx, repo, doer)
perm, err := access_model.GetDoerRepoPermission(ctx, repo, doer)
if err != nil {
return "", err
}
@@ -555,7 +555,7 @@ func CanDeleteBranch(ctx context.Context, repo *repo_model.Repository, branchNam
return ErrBranchIsDefault
}
perm, err := access_model.GetUserRepoPermission(ctx, repo, doer)
perm, err := access_model.GetDoerRepoPermission(ctx, repo, doer)
if err != nil {
return err
}
+2 -2
View File
@@ -539,9 +539,9 @@ func canUserCancelTransfer(ctx context.Context, r *repo_model.RepoTransfer, u *u
return r.Repo.OwnerID == u.ID
}
perm, err := access_model.GetUserRepoPermission(ctx, r.Repo, u)
perm, err := access_model.GetIndividualUserRepoPermission(ctx, r.Repo, u)
if err != nil {
log.Error("GetUserRepoPermission: %v", err)
log.Error("GetIndividualUserRepoPermission: %v", err)
return false
}
return perm.IsOwner()
+23 -23
View File
@@ -53,7 +53,7 @@ func (m *webhookNotifier) IssueClearLabels(ctx context.Context, doer *user_model
return
}
permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, issue.Poster)
permission, _ := access_model.GetIndividualUserRepoPermission(ctx, issue.Repo, issue.Poster)
var err error
if issue.IsPull {
if err = issue.LoadPullRequest(ctx); err != nil {
@@ -83,8 +83,8 @@ func (m *webhookNotifier) IssueClearLabels(ctx context.Context, doer *user_model
}
func (m *webhookNotifier) ForkRepository(ctx context.Context, doer *user_model.User, oldRepo, repo *repo_model.Repository) {
oldPermission, _ := access_model.GetUserRepoPermission(ctx, oldRepo, doer)
permission, _ := access_model.GetUserRepoPermission(ctx, repo, doer)
oldPermission, _ := access_model.GetDoerRepoPermission(ctx, oldRepo, doer)
permission, _ := access_model.GetDoerRepoPermission(ctx, repo, doer)
// forked webhook
if err := PrepareWebhooks(ctx, EventSource{Repository: oldRepo}, webhook_module.HookEventFork, &api.ForkPayload{
@@ -147,7 +147,7 @@ func (m *webhookNotifier) MigrateRepository(ctx context.Context, doer, u *user_m
func (m *webhookNotifier) IssueChangeAssignee(ctx context.Context, doer *user_model.User, issue *issues_model.Issue, assignee *user_model.User, removed bool, comment *issues_model.Comment) {
if issue.IsPull {
permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, doer)
permission, _ := access_model.GetDoerRepoPermission(ctx, issue.Repo, doer)
if err := issue.LoadPullRequest(ctx); err != nil {
log.Error("LoadPullRequest failed: %v", err)
@@ -170,7 +170,7 @@ func (m *webhookNotifier) IssueChangeAssignee(ctx context.Context, doer *user_mo
return
}
} else {
permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, doer)
permission, _ := access_model.GetDoerRepoPermission(ctx, issue.Repo, doer)
apiIssue := &api.IssuePayload{
Index: issue.Index,
Issue: convert.ToAPIIssue(ctx, doer, issue),
@@ -191,7 +191,7 @@ func (m *webhookNotifier) IssueChangeAssignee(ctx context.Context, doer *user_mo
}
func (m *webhookNotifier) IssueChangeTitle(ctx context.Context, doer *user_model.User, issue *issues_model.Issue, oldTitle string) {
permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, issue.Poster)
permission, _ := access_model.GetIndividualUserRepoPermission(ctx, issue.Repo, issue.Poster)
var err error
if issue.IsPull {
if err = issue.LoadPullRequest(ctx); err != nil {
@@ -231,7 +231,7 @@ func (m *webhookNotifier) IssueChangeTitle(ctx context.Context, doer *user_model
}
func (m *webhookNotifier) IssueChangeStatus(ctx context.Context, doer *user_model.User, commitID string, issue *issues_model.Issue, actionComment *issues_model.Comment, isClosed bool) {
permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, issue.Poster)
permission, _ := access_model.GetIndividualUserRepoPermission(ctx, issue.Repo, issue.Poster)
var err error
if issue.IsPull {
if err = issue.LoadPullRequest(ctx); err != nil {
@@ -282,7 +282,7 @@ func (m *webhookNotifier) NewIssue(ctx context.Context, issue *issues_model.Issu
return
}
permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, issue.Poster)
permission, _ := access_model.GetIndividualUserRepoPermission(ctx, issue.Repo, issue.Poster)
if err := PrepareWebhooks(ctx, EventSource{Repository: issue.Repo}, webhook_module.HookEventIssues, &api.IssuePayload{
Action: api.HookIssueOpened,
Index: issue.Index,
@@ -295,7 +295,7 @@ func (m *webhookNotifier) NewIssue(ctx context.Context, issue *issues_model.Issu
}
func (m *webhookNotifier) DeleteIssue(ctx context.Context, doer *user_model.User, issue *issues_model.Issue) {
permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, doer)
permission, _ := access_model.GetDoerRepoPermission(ctx, issue.Repo, doer)
if issue.IsPull {
if err := issue.LoadPullRequest(ctx); err != nil {
log.Error("LoadPullRequest: %v", err)
@@ -345,7 +345,7 @@ func (m *webhookNotifier) NewPullRequest(ctx context.Context, pull *issues_model
return
}
permission, _ := access_model.GetUserRepoPermission(ctx, pull.Issue.Repo, pull.Issue.Poster)
permission, _ := access_model.GetIndividualUserRepoPermission(ctx, pull.Issue.Repo, pull.Issue.Poster)
if err := PrepareWebhooks(ctx, EventSource{Repository: pull.Issue.Repo}, webhook_module.HookEventPullRequest, &api.PullRequestPayload{
Action: api.HookIssueOpened,
Index: pull.Issue.Index,
@@ -363,7 +363,7 @@ func (m *webhookNotifier) IssueChangeContent(ctx context.Context, doer *user_mod
return
}
permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, issue.Poster)
permission, _ := access_model.GetIndividualUserRepoPermission(ctx, issue.Repo, issue.Poster)
var err error
if issue.IsPull {
if err := issue.LoadPullRequest(ctx); err != nil {
@@ -425,7 +425,7 @@ func (m *webhookNotifier) UpdateComment(ctx context.Context, doer *user_model.Us
eventType = webhook_module.HookEventIssueComment
}
permission, _ := access_model.GetUserRepoPermission(ctx, c.Issue.Repo, doer)
permission, _ := access_model.GetDoerRepoPermission(ctx, c.Issue.Repo, doer)
if err := PrepareWebhooks(ctx, EventSource{Repository: c.Issue.Repo}, eventType, &api.IssueCommentPayload{
Action: api.HookIssueCommentEdited,
Issue: convert.ToAPIIssue(ctx, doer, c.Issue),
@@ -460,7 +460,7 @@ func (m *webhookNotifier) CreateIssueComment(ctx context.Context, doer *user_mod
eventType = webhook_module.HookEventIssueComment
}
permission, _ := access_model.GetUserRepoPermission(ctx, repo, doer)
permission, _ := access_model.GetDoerRepoPermission(ctx, repo, doer)
if err := PrepareWebhooks(ctx, EventSource{Repository: issue.Repo}, eventType, &api.IssueCommentPayload{
Action: api.HookIssueCommentCreated,
Issue: convert.ToAPIIssue(ctx, doer, issue),
@@ -501,7 +501,7 @@ func (m *webhookNotifier) DeleteComment(ctx context.Context, doer *user_model.Us
eventType = webhook_module.HookEventIssueComment
}
permission, _ := access_model.GetUserRepoPermission(ctx, comment.Issue.Repo, doer)
permission, _ := access_model.GetDoerRepoPermission(ctx, comment.Issue.Repo, doer)
if err := PrepareWebhooks(ctx, EventSource{Repository: comment.Issue.Repo}, eventType, &api.IssueCommentPayload{
Action: api.HookIssueCommentDeleted,
Issue: convert.ToAPIIssue(ctx, doer, comment.Issue),
@@ -568,7 +568,7 @@ func (m *webhookNotifier) IssueChangeLabels(ctx context.Context, doer *user_mode
return
}
permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, issue.Poster)
permission, _ := access_model.GetIndividualUserRepoPermission(ctx, issue.Repo, issue.Poster)
if issue.IsPull {
if err = issue.LoadPullRequest(ctx); err != nil {
log.Error("loadPullRequest: %v", err)
@@ -613,7 +613,7 @@ func (m *webhookNotifier) IssueChangeMilestone(ctx context.Context, doer *user_m
return
}
permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, doer)
permission, _ := access_model.GetDoerRepoPermission(ctx, issue.Repo, doer)
if issue.IsPull {
err = issue.PullRequest.LoadIssue(ctx)
if err != nil {
@@ -687,9 +687,9 @@ func (*webhookNotifier) MergePullRequest(ctx context.Context, doer *user_model.U
return
}
permission, err := access_model.GetUserRepoPermission(ctx, pr.Issue.Repo, doer)
permission, err := access_model.GetDoerRepoPermission(ctx, pr.Issue.Repo, doer)
if err != nil {
log.Error("models.GetUserRepoPermission: %v", err)
log.Error("models.GetDoerRepoPermission: %v", err)
return
}
@@ -715,7 +715,7 @@ func (m *webhookNotifier) PullRequestChangeTargetBranch(ctx context.Context, doe
issue := pr.Issue
mode, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, issue.Poster)
mode, _ := access_model.GetIndividualUserRepoPermission(ctx, issue.Repo, issue.Poster)
if err := PrepareWebhooks(ctx, EventSource{Repository: issue.Repo}, webhook_module.HookEventPullRequest, &api.PullRequestPayload{
Action: api.HookIssueEdited,
Index: issue.Index,
@@ -753,9 +753,9 @@ func (m *webhookNotifier) PullRequestReview(ctx context.Context, pr *issues_mode
return
}
permission, err := access_model.GetUserRepoPermission(ctx, review.Issue.Repo, review.Issue.Poster)
permission, err := access_model.GetIndividualUserRepoPermission(ctx, review.Issue.Repo, review.Issue.Poster)
if err != nil {
log.Error("models.GetUserRepoPermission: %v", err)
log.Error("models.GetIndividualUserRepoPermission: %v", err)
return
}
if err := PrepareWebhooks(ctx, EventSource{Repository: review.Issue.Repo}, reviewHookType, &api.PullRequestPayload{
@@ -779,7 +779,7 @@ func (m *webhookNotifier) PullRequestReviewRequest(ctx context.Context, doer *us
log.Warn("PullRequestReviewRequest: issue is not a pull request: %v", issue.ID)
return
}
permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, doer)
permission, _ := access_model.GetDoerRepoPermission(ctx, issue.Repo, doer)
if err := issue.LoadPullRequest(ctx); err != nil {
log.Error("LoadPullRequest failed: %v", err)
return
@@ -857,7 +857,7 @@ func sendReleaseHook(ctx context.Context, doer *user_model.User, rel *repo_model
return
}
permission, _ := access_model.GetUserRepoPermission(ctx, rel.Repo, doer)
permission, _ := access_model.GetDoerRepoPermission(ctx, rel.Repo, doer)
if err := PrepareWebhooks(ctx, EventSource{Repository: rel.Repo}, webhook_module.HookEventRelease, &api.ReleasePayload{
Action: action,
Release: convert.ToAPIRelease(ctx, rel.Repo, rel),