security: add permission check to 'delete branch after merge'

- Add a permission check that the doer has write permissions to the head repository if the the 'delete branch after merge' is enabled when merging a pull request. - Unify the checks in the web and API router to `DeleteBranchAfterMerge`. - Added integration tests.
2024-10-23 00:48:46 +02:00 · 2024-10-23 00:48:46 +02:00 · 266e0b2ce9
commit 266e0b2ce9
parent 00379db370
7 changed files with 139 additions and 37 deletions
--- a/release-notes/5718.md
+++ b/release-notes/5718.md
@ -0,0 +1 @@
+Because of a missing permission check, the branch used to propose a pull request to a repository can always be deleted by the user performing the merge. It was fixed so that such a deletion is only allowed if the user performing the merge has write permission to the repository from which the pull request was made.
				`@ -0,0 +1 @@`
				`Because of a missing permission check, the branch used to propose a pull request to a repository can always be deleted by the user performing the merge. It was fixed so that such a deletion is only allowed if the user performing the merge has write permission to the repository from which the pull request was made.`