* dont reqToken on GetReactions * ctx.Repo.CanWrite has ctx.User.IsAdmin in It Co-authored-by: Lauris BH <lauris@nix.lv>release/v1.15
parent
b3c5b4b0d1
commit
134e3fdf3d
|
@ -664,10 +664,10 @@ func RegisterRoutes(m *macaron.Macaron) {
|
||||||
m.Combo("", reqToken()).
|
m.Combo("", reqToken()).
|
||||||
Patch(mustNotBeArchived, bind(api.EditIssueCommentOption{}), repo.EditIssueComment).
|
Patch(mustNotBeArchived, bind(api.EditIssueCommentOption{}), repo.EditIssueComment).
|
||||||
Delete(repo.DeleteIssueComment)
|
Delete(repo.DeleteIssueComment)
|
||||||
m.Combo("/reactions", reqToken()).
|
m.Combo("/reactions").
|
||||||
Get(repo.GetIssueCommentReactions).
|
Get(repo.GetIssueCommentReactions).
|
||||||
Post(bind(api.EditReactionOption{}), repo.PostIssueCommentReaction).
|
Post(bind(api.EditReactionOption{}), reqToken(), repo.PostIssueCommentReaction).
|
||||||
Delete(bind(api.EditReactionOption{}), repo.DeleteIssueCommentReaction)
|
Delete(bind(api.EditReactionOption{}), reqToken(), repo.DeleteIssueCommentReaction)
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
m.Group("/:index", func() {
|
m.Group("/:index", func() {
|
||||||
|
@ -704,10 +704,10 @@ func RegisterRoutes(m *macaron.Macaron) {
|
||||||
m.Put("/:user", reqToken(), repo.AddIssueSubscription)
|
m.Put("/:user", reqToken(), repo.AddIssueSubscription)
|
||||||
m.Delete("/:user", reqToken(), repo.DelIssueSubscription)
|
m.Delete("/:user", reqToken(), repo.DelIssueSubscription)
|
||||||
})
|
})
|
||||||
m.Combo("/reactions", reqToken()).
|
m.Combo("/reactions").
|
||||||
Get(repo.GetIssueReactions).
|
Get(repo.GetIssueReactions).
|
||||||
Post(bind(api.EditReactionOption{}), repo.PostIssueReaction).
|
Post(bind(api.EditReactionOption{}), reqToken(), repo.PostIssueReaction).
|
||||||
Delete(bind(api.EditReactionOption{}), repo.DeleteIssueReaction)
|
Delete(bind(api.EditReactionOption{}), reqToken(), repo.DeleteIssueReaction)
|
||||||
})
|
})
|
||||||
}, mustEnableIssuesOrPulls)
|
}, mustEnableIssuesOrPulls)
|
||||||
m.Group("/labels", func() {
|
m.Group("/labels", func() {
|
||||||
|
|
|
@ -55,7 +55,7 @@ func GetIssueCommentReactions(ctx *context.APIContext) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if !ctx.Repo.CanRead(models.UnitTypeIssues) && !ctx.User.IsAdmin {
|
if !ctx.Repo.CanRead(models.UnitTypeIssues) {
|
||||||
ctx.Error(http.StatusForbidden, "GetIssueCommentReactions", errors.New("no permission to get reactions"))
|
ctx.Error(http.StatusForbidden, "GetIssueCommentReactions", errors.New("no permission to get reactions"))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -179,7 +179,7 @@ func changeIssueCommentReaction(ctx *context.APIContext, form api.EditReactionOp
|
||||||
ctx.Error(http.StatusInternalServerError, "comment.LoadIssue() failed", err)
|
ctx.Error(http.StatusInternalServerError, "comment.LoadIssue() failed", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if comment.Issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) && !ctx.User.IsAdmin {
|
if comment.Issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) {
|
||||||
ctx.Error(http.StatusForbidden, "ChangeIssueCommentReaction", errors.New("no permission to change reaction"))
|
ctx.Error(http.StatusForbidden, "ChangeIssueCommentReaction", errors.New("no permission to change reaction"))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -261,7 +261,7 @@ func GetIssueReactions(ctx *context.APIContext) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if !ctx.Repo.CanRead(models.UnitTypeIssues) && !ctx.User.IsAdmin {
|
if !ctx.Repo.CanRead(models.UnitTypeIssues) {
|
||||||
ctx.Error(http.StatusForbidden, "GetIssueReactions", errors.New("no permission to get reactions"))
|
ctx.Error(http.StatusForbidden, "GetIssueReactions", errors.New("no permission to get reactions"))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -380,7 +380,7 @@ func changeIssueReaction(ctx *context.APIContext, form api.EditReactionOption, i
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) && !ctx.User.IsAdmin {
|
if issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) {
|
||||||
ctx.Error(http.StatusForbidden, "ChangeIssueCommentReaction", errors.New("no permission to change reaction"))
|
ctx.Error(http.StatusForbidden, "ChangeIssueCommentReaction", errors.New("no permission to change reaction"))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue