Never add labels not from this repository or organisation and remove org labels on transfer (#14928)

* Never add labels not from this repository or organisation and remove org labels on transfer Prevent the addition of labels from outside of the repository or organisation and remove organisation labels on transfer. Related #14908 * switch to use sql * subquery alias * once more around the merry go round * fix api problem
2025-07-15 23:17:19 +00:00 · 2021-03-12 17:45:49 +00:00
parent ccfb205ad1
commit 42b9b46ad2
4 changed files with 65 additions and 9 deletions
--- a/models/issue.go
+++ b/models/issue.go
@@ -513,6 +513,10 @@ func (issue *Issue) ReplaceLabels(labels []*Label, doer *User) (err error) {
 		return err
 	}

+	if err = issue.loadRepo(sess); err != nil {
+		return err
+	}
+
 	if err = issue.loadLabels(sess); err != nil {
 		return err
 	}
@@ -527,10 +531,18 @@ func (issue *Issue) ReplaceLabels(labels []*Label, doer *User) (err error) {
 		addLabel := labels[addIndex]
 		removeLabel := issue.Labels[removeIndex]
 		if addLabel.ID == removeLabel.ID {
+			// Silently drop invalid labels
+			if removeLabel.RepoID != issue.RepoID && removeLabel.OrgID != issue.Repo.OwnerID {
+				toRemove = append(toRemove, removeLabel)
+			}
+
 			addIndex++
 			removeIndex++
 		} else if addLabel.ID < removeLabel.ID {
-			toAdd = append(toAdd, addLabel)
+			// Only add if the label is valid
+			if addLabel.RepoID == issue.RepoID || addLabel.OrgID == issue.Repo.OwnerID {
+				toAdd = append(toAdd, addLabel)
+			}
 			addIndex++
 		} else {
 			toRemove = append(toRemove, removeLabel)