Fix comment permissions (#28213) (#28217)

backport #28213 This PR will fix some missed checks for private repositories' data on web routes and API routes.
2025-08-12 12:38:20 +00:00 · 2023-11-26 07:21:41 +08:00
parent 41b2d0be93
commit dfd511faf3
35 changed files with 422 additions and 109 deletions
--- a/routers/web/repo/release.go
+++ b/routers/web/repo/release.go
@@ -592,7 +592,31 @@ func DeleteTag(ctx *context.Context) {
 }

 func deleteReleaseOrTag(ctx *context.Context, isDelTag bool) {
-	if err := releaseservice.DeleteReleaseByID(ctx, ctx.FormInt64("id"), ctx.Doer, isDelTag); err != nil {
+	redirect := func() {
+		if isDelTag {
+			ctx.JSON(http.StatusOK, map[string]any{
+				"redirect": ctx.Repo.RepoLink + "/tags",
+			})
+			return
+		}
+
+		ctx.JSON(http.StatusOK, map[string]any{
+			"redirect": ctx.Repo.RepoLink + "/releases",
+		})
+	}
+
+	rel, err := repo_model.GetReleaseForRepoByID(ctx, ctx.Repo.Repository.ID, ctx.FormInt64("id"))
+	if err != nil {
+		if repo_model.IsErrReleaseNotExist(err) {
+			ctx.NotFound("GetReleaseForRepoByID", err)
+		} else {
+			ctx.Flash.Error("DeleteReleaseByID: " + err.Error())
+			redirect()
+		}
+		return
+	}
+
+	if err := releaseservice.DeleteReleaseByID(ctx, ctx.Repo.Repository, rel, ctx.Doer, isDelTag); err != nil {
 		if models.IsErrProtectedTagName(err) {
 			ctx.Flash.Error(ctx.Tr("repo.release.tag_name_protected"))
 		} else {
@@ -606,14 +630,5 @@ func deleteReleaseOrTag(ctx *context.Context, isDelTag bool) {
 		}
 	}

-	if isDelTag {
-		ctx.JSON(http.StatusOK, map[string]any{
-			"redirect": ctx.Repo.RepoLink + "/tags",
-		})
-		return
-	}
-
-	ctx.JSON(http.StatusOK, map[string]any{
-		"redirect": ctx.Repo.RepoLink + "/releases",
-	})
+	redirect()
 }