Fix comment permissions (#28213)

This PR will fix some missed checks for private repositories' data on web routes and API routes.
2023-11-26 01:21:21 +08:00 · 2023-11-26 01:21:21 +08:00 · 882e502327
commit 882e502327
parent 80217cacfc
34 changed files with 417 additions and 105 deletions
--- a/routers/api/v1/user/app.go
+++ b/routers/api/v1/user/app.go
@ -342,6 +342,10 @@ func GetOauth2Application(ctx *context.APIContext) {
 		}
 		return
 	}
+	if app.UID != ctx.Doer.ID {
+		ctx.NotFound()
+		return
+	}

 	app.ClientSecret = ""

--- a/routers/api/v1/user/gpg_key.go
+++ b/routers/api/v1/user/gpg_key.go
@ -112,7 +112,7 @@ func GetGPGKey(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"

-	key, err := asymkey_model.GetGPGKeyByID(ctx, ctx.ParamsInt64(":id"))
+	key, err := asymkey_model.GetGPGKeyForUserByID(ctx, ctx.Doer.ID, ctx.ParamsInt64(":id"))
 	if err != nil {
 		if asymkey_model.IsErrGPGKeyNotExist(err) {
 			ctx.NotFound()
--- a/routers/api/v1/user/hook.go
+++ b/routers/api/v1/user/hook.go
@ -62,6 +62,11 @@ func GetHook(ctx *context.APIContext) {
 		return
 	}

+	if !ctx.Doer.IsAdmin && hook.OwnerID != ctx.Doer.ID {
+		ctx.NotFound()
+		return
+	}
+
 	apiHook, err := webhook_service.ToHook(ctx.Doer.HomeLink(), hook)
 	if err != nil {
 		ctx.InternalServerError(err)