Nemcio/Gogs
1
0
Fork 0
mirror of https://github.com/gogs/gogs.git synced 2025-12-20 15:20:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

routes/api: add missing permission checks for routes

Browse Source 
Permission check not enforced for deploy keys, collaborators, and hooks.

Reported by @ManassehZhou #5764
This commit is contained in:
unknwon
2019-08-01 18:26:05 -07:00
parent e640683c97
commit 1592e578ed
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
routes/api/v1/api.go
View File

@@ -236,12 +236,12 @@ func RegisterRoutes(m *macaron.Macaron) {
Post(bind(api.CreateHookOption{}), repo.CreateHook) Post(bind(api.CreateHookOption{}), repo.CreateHook)
m.Combo("/:id").Patch(bind(api.EditHookOption{}), repo.EditHook). m.Combo("/:id").Patch(bind(api.EditHookOption{}), repo.EditHook).
Delete(repo.DeleteHook) Delete(repo.DeleteHook)
}) }, reqAdmin())
m.Group("/collaborators", func() { m.Group("/collaborators", func() {
m.Get("", repo.ListCollaborators) m.Get("", repo.ListCollaborators)
m.Combo("/:collaborator").Get(repo.IsCollaborator).Put(bind(api.AddCollaboratorOption{}), repo.AddCollaborator). m.Combo("/:collaborator").Get(repo.IsCollaborator).Put(bind(api.AddCollaboratorOption{}), repo.AddCollaborator).
Delete(repo.DeleteCollaborator) Delete(repo.DeleteCollaborator)
}) }, reqAdmin())
m.Get("/raw/*", context.RepoRef(), repo.GetRawFile) m.Get("/raw/*", context.RepoRef(), repo.GetRawFile)
m.Get("/archive/*", repo.GetArchive) m.Get("/archive/*", repo.GetArchive)
m.Get("/forks", repo.ListForks) m.Get("/forks", repo.ListForks)
@@ -260,7 +260,7 @@ func RegisterRoutes(m *macaron.Macaron) {
Post(bind(api.CreateKeyOption{}), repo.CreateDeployKey) Post(bind(api.CreateKeyOption{}), repo.CreateDeployKey)
m.Combo("/:id").Get(repo.GetDeployKey). m.Combo("/:id").Get(repo.GetDeployKey).
Delete(repo.DeleteDeploykey) Delete(repo.DeleteDeploykey)
}) }, reqAdmin())
m.Group("/issues", func() { m.Group("/issues", func() {
m.Combo("").Get(repo.ListIssues).Post(bind(api.CreateIssueOption{}), repo.CreateIssue) m.Combo("").Get(repo.ListIssues).Post(bind(api.CreateIssueOption{}), repo.CreateIssue)
m.Group("/comments", func() { m.Group("/comments", func() {