Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check for permission when fetching user controlled issues (#20133) #20196

Merged
merged 2 commits into from
Jul 1, 2022
Merged

Check for permission when fetching user controlled issues (#20133) #20196

merged 2 commits into from
Jul 1, 2022

Conversation

Gusted
Copy link
Contributor

@Gusted Gusted commented Jul 1, 2022

Check for permission when fetching user controlled issues (go-gitea#2…
8abde9a 
…0133)

- Backport go-gitea#20133
  - Check correctly for permission when we fetch a new issue(via ID)
is controlled by the user.
@Gusted Gusted added this to the 1.16.9 milestone Jul 1, 2022
@Gusted Gusted added the type/bug label Jul 1, 2022
@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Jul 1, 2022
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jul 1, 2022
@6543 6543 merged commit 6162fb0 into go-gitea:release/v1.16 Jul 1, 2022
@6543 6543 added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Jul 12, 2022
tyroneyeh added a commit to tyroneyeh/gitea that referenced this pull request Jul 13, 2022
@tyroneyeh
Squashed commit of the following:
2f8e79c 
commit 713bc6c
Author: 6543 <6543@obermui.de>
Date:   Tue Jul 12 20:26:27 2022 +0200

    Changelog for 1.16.9 (update) (go-gitea#20341)

    * Changelog for 1.16.9 (update)

    * update security section

commit 6b7e860
Author: Lunny Xiao <xiaolunwen@gmail.com>
Date:   Wed Jul 13 01:13:31 2022 +0800

    Hide notify mail setting ui if not enabled (go-gitea#20138) (go-gitea#20337)

    Backport go-gitea#20138

commit 0f89417
Author: Gusted <williamzijl7@hotmail.com>
Date:   Tue Jul 12 12:52:20 2022 +0000

    Add write check for creating Commit status (go-gitea#20332) (go-gitea#20334)

    - Backport go-gitea#20332
      - Add write code checks for creating new commit status
      - Regression from go-gitea#5314
      - Resolves go-gitea#20331

commit 7c80a0b
Author: zeripath <art27@cantab.net>
Date:   Mon Jul 11 10:15:43 2022 +0100

    Ensure that drone tags 1.16.x and 1.16 on push to v1.16.x tag (go-gitea#20304)

    We need pushes to v1.16.9 to create tags to 1.16.9 and 1.16 but not 1 or latest.

    We have previously adjusted the manifest to remove the latest tag, and have removed
    auto_tags so that 1 does not get tagged but in doing so we also stopped 1.16 being
    tagged. So here we just state the that we tag x.yy in addition to x.yyz*.

    Signed-off-by: Andrew Thornton <art27@cantab.net>

commit b42df31
Author: zeripath <art27@cantab.net>
Date:   Wed Jul 6 02:47:16 2022 +0100

    Only show Followers that current user can access (go-gitea#20220) (go-gitea#20253)

    Backport go-gitea#20220

    Users who are following or being followed by a user should only be
    displayed if the viewing user can see them.

    Signed-off-by: Andrew Thornton <art27@cantab.net>

commit 6162fb0
Author: Gusted <williamzijl7@hotmail.com>
Date:   Fri Jul 1 17:39:10 2022 +0200

    Check for permission when fetching user controlled issues (go-gitea#20133) (go-gitea#20196)

    * Check if project has the same repository id with issue when assign project to issue

    * Check if issue's repository id match project's repository id

    * Add more permission checking

    * Remove invalid argument

    * Fix errors

    * Add generic check

    * Remove duplicated check

    * Return error + add check for new issues

    * Apply suggestions from code review

    Co-authored-by: Gusted <williamzijl7@hotmail.com>
    Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
    Co-authored-by: 6543 <6543@obermui.de>
@Gusted Gusted deleted the backport-116-20133 branch July 13, 2022 06:20
freebsd-git pushed a commit to freebsd/freebsd-ports that referenced this pull request Aug 5, 2022
@stblassitude @nunotexbsd
security/vuxml: Document Gitea multiple vulnerabilities
c15a234 
 - Add write check for creating Commit status
   go-gitea/gitea#20334

 - Check for permission when fetching user controlled issues
   go-gitea/gitea#20196

PR:		265526
@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@a1012112796 a1012112796 a1012112796 approved these changes

@6543 6543 6543 approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Projects
None yet
Milestone
1.16.9
Development

Successfully merging this pull request may close these issues.
4 participants
@Gusted @6543 @a1012112796 @GiteaBot