Only view milestones from current repo (#18414) (#18418)

Backport #18414 The endpoint /{username}/{reponame}/milestone/{id} is not currently restricted to the repo. This PR restricts the milestones to those within the repo. Signed-off-by: Andrew Thornton <art27@cantab.net>
2025-08-23 01:48:27 +00:00 · 2022-01-26 22:09:35 +00:00
parent df57524c49
commit 9d9ad1b59f
3 changed files with 15 additions and 34 deletions
--- a/routers/web/repo/milestone.go
+++ b/routers/web/repo/milestone.go
@@ -268,7 +268,7 @@ func DeleteMilestone(ctx *context.Context) {
 // MilestoneIssuesAndPulls lists all the issues and pull requests of the milestone
 func MilestoneIssuesAndPulls(ctx *context.Context) {
 	milestoneID := ctx.ParamsInt64(":id")
-	milestone, err := models.GetMilestoneByID(milestoneID)
+	milestone, err := models.GetMilestoneByRepoID(ctx.Repo.Repository.ID, milestoneID)
 	if err != nil {
 		if models.IsErrMilestoneNotExist(err) {
 			ctx.NotFound("GetMilestoneByID", err)