-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add API to manage issue dependencies #17935
Conversation
Codecov Report
@@ Coverage Diff @@
## main #17935 +/- ##
==========================================
- Coverage 47.14% 46.99% -0.15%
==========================================
Files 1149 1156 +7
Lines 151446 153078 +1632
==========================================
+ Hits 71397 71942 +545
- Misses 71611 72644 +1033
- Partials 8438 8492 +54
... and 54 files with indirect coverage changes Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a serious security problem in this code. Not only can I use these endpoints to check if any repository exists but I can read any issue on any repository using this.
@zeripath The API returns a nil pointer if there's a hidden issue (if you can't write the repo of the original issue) because there's no repo and it tries to generate the API URL of the issue. I think it's better to just ignore these issues. I changed this in 37081b4, if you have a better solution, I can revert it. Everything else worked as expected in my tests. |
The issue with ignoring the issues is that it breaks the paging. The solution would be to look again at the logs/error? I think it would be very easy to fix convert.ToAPIIssue to prevent the error. For example (based on 44a120e): diff --git a/services/convert/issue.go b/services/convert/issue.go
index 6651fb1d8..6d31a123b 100644
--- a/services/convert/issue.go
+++ b/services/convert/issue.go
@@ -35,8 +35,6 @@ func ToAPIIssue(ctx context.Context, issue *issues_model.Issue) *api.Issue {
apiIssue := &api.Issue{
ID: issue.ID,
- URL: issue.APIURL(),
- HTMLURL: issue.HTMLURL(),
Index: issue.Index,
Poster: ToUser(ctx, issue.Poster, nil),
Title: issue.Title,
@@ -54,6 +52,8 @@ func ToAPIIssue(ctx context.Context, issue *issues_model.Issue) *api.Issue {
if err := issue.Repo.LoadOwner(ctx); err != nil {
return &api.Issue{}
}
+ apiIssue.URL = issue.APIURL()
+ apiIssue.HTMLURL = issue.HTMLURL()
apiIssue.Labels = ToLabelList(issue.Labels, issue.Repo, issue.Repo.Owner)
apiIssue.Repo = &api.RepositoryMeta{
ID: issue.Repo.ID,
|
This reverts commit 37081b4.
Done, thanks @zeripath |
@qwerty287 do we think the HIDDEN thing is the correct thing to do? It seems like the simplest solution. |
Yes, I think that's the best solution for this case. |
FullName: issue.Repo.FullName(), | ||
if issue.Repo != nil { | ||
if err := issue.Repo.LoadOwner(ctx); err != nil { | ||
return &api.Issue{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we hide the error or record it into log?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It does not do so for LoadLabels and LoadPoster as well.
🎺 🤖 |
* upstream/main: Refactor internal API for git commands, use meaningful messages instead of "Internal Server Error" (go-gitea#23687) Add CSS rules for basic colored labels (go-gitea#23774) Add meilisearch support (go-gitea#23136) Add missing translation for `actions.runners.reset_registration_token_success` (go-gitea#23732) [skip ci] Updated translations via Crowdin Implement Issue Config (go-gitea#20956) Set repository link based on the url in package.json for npm packages (go-gitea#20379) Add API to manage issue dependencies (go-gitea#17935) Add creation time in tag list page (go-gitea#23693) Make minio package support legacy MD5 checksum (go-gitea#23768) Yarden Shoham has a new email address (go-gitea#23767) fix br display for packages curls (go-gitea#23737)
Adds API endpoints to manage issue/PR dependencies
GET /repos/{owner}/{repo}/issues/{index}/blocks
List issues that are blocked by this issuePOST /repos/{owner}/{repo}/issues/{index}/blocks
Block the issue given in the body by the issue in pathDELETE /repos/{owner}/{repo}/issues/{index}/blocks
Unblock the issue given in the body by the issue in pathGET /repos/{owner}/{repo}/issues/{index}/dependencies
List an issue's dependenciesPOST /repos/{owner}/{repo}/issues/{index}/dependencies
Create a new issue dependenciesDELETE /repos/{owner}/{repo}/issues/{index}/dependencies
Remove an issue dependencyCloses #15393
Closes #22115