forked from Gitlink/gitea-1120-rc1
fixed vulnerabilities on deleting release (#399)
This commit is contained in:
parent
8aeeed0a23
commit
15c3d14d55
|
@ -189,7 +189,7 @@ func UpdateRelease(gitRepo *git.Repository, rel *Release) (err error) {
|
|||
}
|
||||
|
||||
// DeleteReleaseByID deletes a release and corresponding Git tag by given ID.
|
||||
func DeleteReleaseByID(id int64) error {
|
||||
func DeleteReleaseByID(id int64, u *User) error {
|
||||
rel, err := GetReleaseByID(id)
|
||||
if err != nil {
|
||||
return fmt.Errorf("GetReleaseByID: %v", err)
|
||||
|
@ -200,6 +200,13 @@ func DeleteReleaseByID(id int64) error {
|
|||
return fmt.Errorf("GetRepositoryByID: %v", err)
|
||||
}
|
||||
|
||||
has, err := HasAccess(u, repo, AccessModeWrite)
|
||||
if err != nil {
|
||||
return fmt.Errorf("HasAccess: %v", err)
|
||||
} else if !has {
|
||||
return fmt.Errorf("DeleteReleaseByID: permission denied")
|
||||
}
|
||||
|
||||
_, stderr, err := process.ExecDir(-1, repo.RepoPath(),
|
||||
fmt.Sprintf("DeleteReleaseByID (git tag -d): %d", rel.ID),
|
||||
"git", "tag", "-d", rel.TagName)
|
||||
|
|
|
@ -296,7 +296,7 @@ func EditReleasePost(ctx *context.Context, form auth.EditReleaseForm) {
|
|||
|
||||
// DeleteRelease delete a release
|
||||
func DeleteRelease(ctx *context.Context) {
|
||||
if err := models.DeleteReleaseByID(ctx.QueryInt64("id")); err != nil {
|
||||
if err := models.DeleteReleaseByID(ctx.QueryInt64("id"), ctx.User); err != nil {
|
||||
ctx.Flash.Error("DeleteReleaseByID: " + err.Error())
|
||||
} else {
|
||||
ctx.Flash.Success(ctx.Tr("repo.release.deletion_success"))
|
||||
|
|
Loading…
Reference in New Issue