Check for permission when fetching user controlled issues (#20133) (#20196)

* Check if project has the same repository id with issue when assign project to issue * Check if issue's repository id match project's repository id * Add more permission checking * Remove invalid argument * Fix errors * Add generic check * Remove duplicated check * Return error + add check for new issues * Apply suggestions from code review Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: 6543 <6543@obermui.de>
2025-08-24 18:38:28 +00:00 · 2022-07-01 17:39:10 +02:00
parent df0b330af7
commit 6162fb0a19
7 changed files with 83 additions and 29 deletions
--- a/routers/web/repo/projects.go
+++ b/routers/web/repo/projects.go
@@ -5,6 +5,7 @@
 package repo

 import (
+	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -531,7 +532,6 @@ func EditProjectBoard(ctx *context.Context) {

 // SetDefaultProjectBoard set default board for uncategorized issues/pulls
 func SetDefaultProjectBoard(ctx *context.Context) {
-
 	project, board := checkProjectBoardChangePermissions(ctx)
 	if ctx.Written() {
 		return
@@ -631,10 +631,17 @@ func MoveIssues(ctx *context.Context) {
 	}

 	if len(movedIssues) != len(form.Issues) {
-		ctx.ServerError("IssuesNotFound", err)
+		ctx.ServerError("some issues do not exist", errors.New("some issues do not exist"))
 		return
 	}

+	for _, issue := range movedIssues {
+		if issue.RepoID != project.RepoID {
+			ctx.ServerError("Some issue's repoID is not equal to project's repoID", errors.New("Some issue's repoID is not equal to project's repoID"))
+			return
+		}
+	}
+
 	if err = models.MoveIssuesOnProjectBoard(board, sortedIssueIDs); err != nil {
 		ctx.ServerError("MoveIssuesOnProjectBoard", err)
 		return