Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move /info outside authorization #19888

Merged
merged 6 commits into from
Jun 4, 2022
Merged

Move /info outside authorization #19888

merged 6 commits into from
Jun 4, 2022

Conversation

Gusted
Copy link
Contributor

@Gusted Gusted commented Jun 4, 2022

Move /info outside authorization
6bffaf5 
- To use the web's API to get information about a issue/pull on a
repository, doesn't require authorization(nor that the repository isn't
archived).
- Regressed by: go-gitea#19318
@Gusted Gusted added this to the 1.17.0 milestone Jun 4, 2022
@Gusted Gusted added the skip-changelog This PR is irrelevant for the (next) changelog, for example bug fixes for unreleased features. label Jun 4, 2022
@lunny
Copy link
Member

lunny commented Jun 4, 2022

1 Why do you think it doesn't need authorization? What about a private repository's issues?
2 routes in Web should only be visited from UI. Gitea should not guarantee the routes path compatibility and stability.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jun 4, 2022
@Gusted
Copy link
Contributor Author

Gusted commented Jun 4, 2022

1 Why do you think it doesn't need authorization? What about a private repository's issues?

Because not every user on a Gitea instance would be logged in and they shouldn't be shown a loading spinner when hovering over a issue reference. Private repository's issues are not being checked in reqSignin, but in context.RepoAssignment IIRC, that's the main difference.

2 routes in Web should only be visited from UI. Gitea should not guarantee the routes path compatibility and stability.

It's still on the same path as before, now it just doesn't have the reqSignin middleware.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Jun 4, 2022
@zeripath
Copy link
Contributor

zeripath commented Jun 4, 2022

Hmm... I think it should require permissions check. If you can't read the issues or pull requests you should not be able to access this endpoint. How does your change affect leakage for private repos where you have been given say code access but not read issues access?

@zeripath
Copy link
Contributor

zeripath commented Jun 4, 2022
edited
Loading

This also needs:

diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go
index 079ccbf6c..d0ddf7048 100644
--- a/routers/web/repo/issue.go
+++ b/routers/web/repo/issue.go
@@ -1799,6 +1799,27 @@ func GetIssueInfo(ctx *context.Context) {
 		}
 		return
 	}
+
+	if issue.IsPull {
+		// Need to check if Pulls are enabled and we can read Pulls
+		if !ctx.Repo.Repository.CanEnablePulls() || !ctx.Repo.CanRead(unit.TypePullRequests) {
+			ctx.Error(http.StatusNotFound)
+			return
+		}
+	} else {
+		// Need to check if Issues are enabled and we can read Issues
+		if !ctx.Repo.CanRead(unit.TypeIssues) &&
+			!ctx.Repo.CanRead(unit.TypeExternalTracker) {
+			ctx.Error(http.StatusNotFound)
+			return
+		}
+		_, err := ctx.Repo.Repository.GetUnit(unit.TypeExternalTracker)
+		if err == nil {
+			ctx.Error(http.StatusNotFound)
+			return
+		}
+	}
+
 	ctx.JSON(http.StatusOK, convert.ToAPIIssue(issue))
 }

@zeripath
Copy link
Contributor

zeripath commented Jun 4, 2022
edited
Loading

Realistically we might actually need a context.IssueAssignment() function that can do this sort of check as I bet that there are lots of other places where this check is not happening properly.

@zeripath
Check we can read the issue we are looking at
5a574d5 
Signed-off-by: Andrew Thornton <art27@cantab.net>
zeripath
zeripath reviewed Jun 4, 2022
View reviewed changes
routers/web/repo/issue.go Outdated Show resolved Hide resolved
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jun 4, 2022
@codecov-commenter
Copy link

Codecov Report

❗ No coverage uploaded for pull request base (main@12c742f). Click here to learn what that means.
The diff coverage is 37.50%.

@@           Coverage Diff           @@
##             main   #19888   +/-   ##
=======================================
  Coverage        ?   47.29%           
=======================================
  Files           ?      958           
  Lines           ?   133516           
  Branches        ?        0           
=======================================
  Hits            ?    63144           
  Misses          ?    62699           
  Partials        ?     7673
Impacted Files Coverage Δ
routers/web/repo/issue.go 36.77% <16.66%> (ø)
routers/web/web.go 86.30% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 12c742f...e1d328e. Read the comment docs.

@zeripath zeripath merged commit 744e452 into go-gitea:main Jun 4, 2022
zjjhot added a commit to zjjhot/gitea that referenced this pull request Jun 5, 2022
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
bca137d 
* giteaofficial/main:
  Add alt text to logo (go-gitea#19892)
  Limit max-height of CodeMirror editors for issue comment and wiki (go-gitea#18271)
  Implement http signatures support for the API (go-gitea#17565)
  Increment tests time out from 40m to 50m because sometimes the machine is slow (go-gitea#19887)
  fix(CI/CD): correct CI variable. (go-gitea#19886)
  Fix typo (go-gitea#19889)
  Fixing wrong paging when filtering on the issue dashboard (go-gitea#19801)
  Move `/info` outside authorization (go-gitea#19888)
  Fix order by parameter (go-gitea#19849)
  Exclude Archived repos from Dashboard Milestones (go-gitea#19882)
  use exact search instead of fuzzy search for branch filter dropdown (go-gitea#19885)
AbdulrhmnGhanem pushed a commit to kitspace/gitea that referenced this pull request Aug 24, 2022
@zeripath @AbdulrhmnGhanem
Move /info outside authorization (go-gitea#19888)
99703aa 
- To use the web's API to get information about a issue/pull on a
repository, doesn't require authorization(nor that the repository isn't
archived).
- Regressed by: go-gitea#19318


Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Andrew Thornton <art27@cantab.net>
@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@zeripath zeripath zeripath approved these changes

@lunny lunny lunny approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. skip-changelog This PR is irrelevant for the (next) changelog, for example bug fixes for unreleased features.
Projects
None yet
Milestone
1.17.0
Development

Successfully merging this pull request may close these issues.
5 participants
@Gusted @lunny @zeripath @codecov-commenter @GiteaBot