Skip to content

Fix various permission & login related bugs #36002

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Nov 22, 2025
Merged

Fix various permission & login related bugs #36002

merged 5 commits into from
Nov 22, 2025
+385 −61

Conversation

@lunny
Copy link
Member

@lunny lunny commented Nov 22, 2025
edited by wxiaoguang
Loading

Permission & protection check:

  • Fix Delete Release permission check
  • Fix Update Pull Request with rebase branch protection check
  • Fix Issue Dependency permission check
  • Fix Delete Comment History ID check

Information leaking:

Auth & Login:

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Nov 22, 2025
@github-actions github-actions bot added modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code labels Nov 22, 2025
@wxiaoguang wxiaoguang changed the title Fix many bugs Fix various bugs Nov 22, 2025
@wxiaoguang wxiaoguang mentioned this pull request Nov 22, 2025
Closed
@wxiaoguang wxiaoguang added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Nov 22, 2025
@wxiaoguang wxiaoguang changed the title Fix various bugs Fix various permission & login related bugs Nov 22, 2025
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Nov 22, 2025
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Nov 22, 2025
@lunny lunny added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Nov 22, 2025
@wxiaoguang wxiaoguang enabled auto-merge (squash) November 22, 2025 07:08
@wxiaoguang wxiaoguang merged commit 62d750e into go-gitea:main Nov 22, 2025
25 checks passed
@GiteaBot GiteaBot added this to the 1.26.0 milestone Nov 22, 2025
@lunny lunny deleted the lunny/fix_bugs branch November 22, 2025 07:21
lunny added a commit to lunny/gitea that referenced this pull request Nov 22, 2025
@lunny @wxiaoguang
Fix various permission & login related bugs (go-gitea#36002)
11f774a 
Permission & protection check:

- Fix Delete Release permission check
- Fix Update Pull Request with rebase branch protection check
- Fix Issue Dependency permission check
- Fix Delete Comment History ID check

Information leaking:

- Show unified message for non-existing user and invalid password
    - Fix go-gitea#35984
- Don't expose release draft to non-writer users.
- Make API returns signature's email address instead of the user
profile's.

Auth & Login:

- Avoid GCM OAuth2 attempt when OAuth2 is disabled
    - Fix go-gitea#35510

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
@GiteaBot GiteaBot removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Nov 22, 2025
@lunny lunny mentioned this pull request Nov 22, 2025
Merged
@lunny lunny added the backport/done All backports for this PR have been created label Nov 22, 2025
zjjhot added a commit to zjjhot/gitea that referenced this pull request Nov 22, 2025
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
4030b8b 
* giteaofficial/main:
  Fix various permission & login related bugs (go-gitea#36002)
  Allow empty commit when merging pull request with squash style (go-gitea#35989)
  [skip ci] Updated translations via Crowdin
  Mention proc-receive in text for dashboard.resync_all_hooks func (go-gitea#35991)
  Update JS deps (go-gitea#35978)
  wiki: reuse selectable style for wiki (go-gitea#35990)
wxiaoguang added a commit that referenced this pull request Nov 22, 2025
@lunny @wxiaoguang
Fix various permission & login related bugs (#36002) (#36004)
20cf4b7 
Backport #36002 

Permission & protection check:

- Fix Delete Release permission check
- Fix Update Pull Request with rebase branch protection check
- Fix Issue Dependency permission check
- Fix Delete Comment History ID check

Information leaking:

- Show unified message for non-existing user and invalid password
    - Fix #35984
- Don't expose release draft to non-writer users.
- Make API returns signature's email address instead of the user
profile's.

Auth & Login:

- Avoid GCM OAuth2 attempt when OAuth2 is disabled
    - Fix #35510

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wxiaoguang wxiaoguang wxiaoguang approved these changes

+1 more reviewer

@Zettat123 Zettat123 Zettat123 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport/done All backports for this PR have been created backport/v1.25 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug

Projects

None yet

Milestone

1.26.0

4 participants

@lunny @wxiaoguang @Zettat123 @GiteaBot