Check for permission when fetching user controlled issues (#20133) (#20196)

* Check if project has the same repository id with issue when assign project to issue * Check if issue's repository id match project's repository id * Add more permission checking * Remove invalid argument * Fix errors * Add generic check * Remove duplicated check * Return error + add check for new issues * Apply suggestions from code review Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: 6543 <6543@obermui.de>
2025-08-17 23:18:28 +00:00 · 2022-07-01 17:39:10 +02:00
parent df0b330af7
commit 6162fb0a19
7 changed files with 83 additions and 29 deletions
--- a/models/project_issue.go
+++ b/models/project_issue.go
@@ -150,6 +150,17 @@ func addUpdateIssueProject(ctx context.Context, issue *Issue, doer *user_model.U
 	e := db.GetEngine(ctx)
 	oldProjectID := issue.projectID(e)

+	// Only check if we add a new project and not remove it.
+	if newProjectID > 0 {
+		newProject, err := GetProjectByID(newProjectID)
+		if err != nil {
+			return err
+		}
+		if newProject.RepoID != issue.RepoID {
+			return fmt.Errorf("issue's repository is not the same as project's repository")
+		}
+	}
+
 	if _, err := e.Where("project_issue.issue_id=?", issue.ID).Delete(&ProjectIssue{}); err != nil {
 		return err
 	}