TRKJ/gitea
2
0
Fork 0
mirror of https://gitee.com/gitea/gitea synced 2025-11-04 16:40:24 +08:00
Code Issues Packages Projects Releases Wiki Activity

[API] dont reqToken on GetReactions (fix #9543) (#9548)

Browse Source 
* dont reqToken on GetReactions

* ctx.Repo.CanWrite has ctx.User.IsAdmin in It

Co-authored-by: Lauris BH <lauris@nix.lv>
This commit is contained in:
6543
2020-01-02 22:27:31 +01:00
committed by Lauris BH
parent b3c5b4b0d1
commit 134e3fdf3d
2 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
routers/api/v1/api.go
View File

@@ -664,10 +664,10 @@ func RegisterRoutes(m *macaron.Macaron) {
m.Combo("", reqToken()). m.Combo("", reqToken()).
Patch(mustNotBeArchived, bind(api.EditIssueCommentOption{}), repo.EditIssueComment). Patch(mustNotBeArchived, bind(api.EditIssueCommentOption{}), repo.EditIssueComment).
Delete(repo.DeleteIssueComment) Delete(repo.DeleteIssueComment)
m.Combo("/reactions", reqToken()). m.Combo("/reactions").
Get(repo.GetIssueCommentReactions). Get(repo.GetIssueCommentReactions).
Post(bind(api.EditReactionOption{}), repo.PostIssueCommentReaction). Post(bind(api.EditReactionOption{}), reqToken(), repo.PostIssueCommentReaction).
Delete(bind(api.EditReactionOption{}), repo.DeleteIssueCommentReaction) Delete(bind(api.EditReactionOption{}), reqToken(), repo.DeleteIssueCommentReaction)
}) })
}) })
m.Group("/:index", func() { m.Group("/:index", func() {
@@ -704,10 +704,10 @@ func RegisterRoutes(m *macaron.Macaron) {
m.Put("/:user", reqToken(), repo.AddIssueSubscription) m.Put("/:user", reqToken(), repo.AddIssueSubscription)
m.Delete("/:user", reqToken(), repo.DelIssueSubscription) m.Delete("/:user", reqToken(), repo.DelIssueSubscription)
}) })
m.Combo("/reactions", reqToken()). m.Combo("/reactions").
Get(repo.GetIssueReactions). Get(repo.GetIssueReactions).
Post(bind(api.EditReactionOption{}), repo.PostIssueReaction). Post(bind(api.EditReactionOption{}), reqToken(), repo.PostIssueReaction).
Delete(bind(api.EditReactionOption{}), repo.DeleteIssueReaction) Delete(bind(api.EditReactionOption{}), reqToken(), repo.DeleteIssueReaction)
}) })
}, mustEnableIssuesOrPulls) }, mustEnableIssuesOrPulls)
m.Group("/labels", func() { m.Group("/labels", func() {

8
routers/api/v1/repo/issue_reaction.go
View File

@@ -55,7 +55,7 @@ func GetIssueCommentReactions(ctx *context.APIContext) {
return return
} }
if !ctx.Repo.CanRead(models.UnitTypeIssues) && !ctx.User.IsAdmin { if !ctx.Repo.CanRead(models.UnitTypeIssues) {
ctx.Error(http.StatusForbidden, "GetIssueCommentReactions", errors.New("no permission to get reactions")) ctx.Error(http.StatusForbidden, "GetIssueCommentReactions", errors.New("no permission to get reactions"))
return return
} }
@@ -179,7 +179,7 @@ func changeIssueCommentReaction(ctx *context.APIContext, form api.EditReactionOp
ctx.Error(http.StatusInternalServerError, "comment.LoadIssue() failed", err) ctx.Error(http.StatusInternalServerError, "comment.LoadIssue() failed", err)
} }
if comment.Issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) && !ctx.User.IsAdmin { if comment.Issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) {
ctx.Error(http.StatusForbidden, "ChangeIssueCommentReaction", errors.New("no permission to change reaction")) ctx.Error(http.StatusForbidden, "ChangeIssueCommentReaction", errors.New("no permission to change reaction"))
return return
} }
@@ -261,7 +261,7 @@ func GetIssueReactions(ctx *context.APIContext) {
return return
} }
if !ctx.Repo.CanRead(models.UnitTypeIssues) && !ctx.User.IsAdmin { if !ctx.Repo.CanRead(models.UnitTypeIssues) {
ctx.Error(http.StatusForbidden, "GetIssueReactions", errors.New("no permission to get reactions")) ctx.Error(http.StatusForbidden, "GetIssueReactions", errors.New("no permission to get reactions"))
return return
} }
@@ -380,7 +380,7 @@ func changeIssueReaction(ctx *context.APIContext, form api.EditReactionOption, i
return return
} }
if issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) && !ctx.User.IsAdmin { if issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) {
ctx.Error(http.StatusForbidden, "ChangeIssueCommentReaction", errors.New("no permission to change reaction")) ctx.Error(http.StatusForbidden, "ChangeIssueCommentReaction", errors.New("no permission to change reaction"))
return return
} }