bad-example.com / core
forked from tangled.org/core
this repo has no description
fork atom

appview: fix pull close/reopen permissions

Signed-off-by: oppiliappan <me@oppi.li>

oppi.li 0e8ec37e a2586d47

verified
options
unified split
Changed files
+6 -2
appview
pulls
pulls.go
router.go
+4 -2
appview/pulls/pulls.go
··· 2026 2026 2027 2027 // auth filter: only owner or collaborators can close 2028 2028 roles := f.RolesInRepo(user) 2029 + isOwner := roles.IsOwner() 2029 2030 isCollaborator := roles.IsCollaborator() 2030 2031 isPullAuthor := user.Did == pull.OwnerDid 2031 - isCloseAllowed := isCollaborator || isPullAuthor 2032 + isCloseAllowed := isOwner || isCollaborator || isPullAuthor 2032 2033 if !isCloseAllowed { 2033 2034 log.Println("failed to close pull") 2034 2035 s.pages.Notice(w, "pull-close", "You are unauthorized to close this pull.") ··· 2094 2095 2095 2096 // auth filter: only owner or collaborators can close 2096 2097 roles := f.RolesInRepo(user) 2098 + isOwner := roles.IsOwner() 2097 2099 isCollaborator := roles.IsCollaborator() 2098 2100 isPullAuthor := user.Did == pull.OwnerDid 2099 - isCloseAllowed := isCollaborator || isPullAuthor 2101 + isCloseAllowed := isOwner || isCollaborator || isPullAuthor 2100 2102 if !isCloseAllowed { 2101 2103 log.Println("failed to close pull") 2102 2104 s.pages.Notice(w, "pull-close", "You are unauthorized to close this pull.")
+2
appview/pulls/router.go
··· 44 44 r.Get("/", s.ResubmitPull) 45 45 r.Post("/", s.ResubmitPull) 46 46 }) 47 + // permissions here require us to know pull author 48 + // it is handled within the route 47 49 r.Post("/close", s.ClosePull) 48 50 r.Post("/reopen", s.ReopenPull) 49 51 // collaborators only