Reject star-related requests if stars are disabled (#33208)

This PR fixes #33205. If stars are disabled: * The `.../repo/stars` page returns a 403 Forbidden error * Star-related API endpoints return a 403 Forbidden error saying `Stars are disabled.` * Same for action endpoints --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2025-07-23 02:38:35 +00:00 · 2025-02-04 02:21:23 -03:00
parent a4676db7dd
commit d0f4e92563
6 changed files with 113 additions and 5 deletions
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -347,6 +347,13 @@ func registerRoutes(m *web.Router) {
 		}
 	}

+	starsEnabled := func(ctx *context.Context) {
+		if setting.Repository.DisableStars {
+			ctx.Error(http.StatusForbidden)
+			return
+		}
+	}
+
 	lfsServerEnabled := func(ctx *context.Context) {
 		if !setting.LFS.StartServer {
 			ctx.Error(http.StatusNotFound)
@@ -1593,10 +1600,12 @@ func registerRoutes(m *web.Router) {
 	// end "/{username}/{reponame}": repo code

 	m.Group("/{username}/{reponame}", func() {
-		m.Get("/stars", repo.Stars)
+		m.Get("/stars", starsEnabled, repo.Stars)
 		m.Get("/watchers", repo.Watchers)
 		m.Get("/search", reqUnitCodeReader, repo.Search)
-		m.Post("/action/{action}", reqSignIn, repo.Action)
+		m.Post("/action/{action:star|unstar}", reqSignIn, starsEnabled, repo.Action)
+		m.Post("/action/{action:watch|unwatch}", reqSignIn, repo.Action)
+		m.Post("/action/{action:accept_transfer|reject_transfer}", reqSignIn, repo.Action)
 	}, optSignIn, context.RepoAssignment)

 	common.AddOwnerRepoGitLFSRoutes(m, optSignInIgnoreCsrf, lfsServerEnabled) // "/{username}/{reponame}/{lfs-paths}": git-lfs support