bjoernager/forgejo
bjoernager/forgejo
1
Fork 0
Code Issues Pull requests Activity

fix(sec): permission check for project issue

Browse source 
- Do an access check when loading issues for a project column, currently
this is not done and exposes the title, labels and existence of a
private issue that the viewer of the project board may not have access
to.
- The number of issues cannot be calculated in a efficient manner
and stored in the database because their number may vary depending on
the visibility of the repositories participating in the project. The
previous implementation used the pre-calculated numbers stored in each
project, which did not reflect that potential variation.
- The code is derived from https://github.com/go-gitea/gitea/pull/22865
This commit is contained in:
Gusted 2025-01-29 09:47:37 +01:00 committed by Earl Warren
parent 94845020e8
commit b1b635c1d9
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
7 changed files with 83 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

62
models/issues/issue_project.go
View file

@ -7,8 +7,10 @@ import (
"context"
"code.gitea.io/gitea/models/db"
org_model "code.gitea.io/gitea/models/organization"
project_model "code.gitea.io/gitea/models/project"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/optional"
"code.gitea.io/gitea/modules/util"
)
@ -48,22 +50,29 @@ func (issue *Issue) ProjectColumnID(ctx context.Context) int64 {
}
// LoadIssuesFromColumn load issues assigned to this column
func LoadIssuesFromColumn(ctx context.Context, b *project_model.Column) (IssueList, error) {
issueList, err := Issues(ctx, &IssuesOptions{
func LoadIssuesFromColumn(ctx context.Context, b *project_model.Column, doer *user_model.User, org *org_model.Organization, isClosed optional.Option[bool]) (IssueList, error) {
issueOpts := &IssuesOptions{
ProjectColumnID: b.ID,
ProjectID: b.ProjectID,
SortType: "project-column-sorting",
})
IsClosed: isClosed,
}
if doer != nil {
issueOpts.User = doer
issueOpts.Org = org
} else {
issueOpts.AllPublic = true
}
issueList, err := Issues(ctx, issueOpts)
if err != nil {
return nil, err
}
if b.Default {
issues, err := Issues(ctx, &IssuesOptions{
ProjectColumnID: db.NoConditionID,
ProjectID: b.ProjectID,
SortType: "project-column-sorting",
})
issueOpts.ProjectColumnID = db.NoConditionID
issues, err := Issues(ctx, issueOpts)
if err != nil {
return nil, err
}
@ -78,10 +87,10 @@ func LoadIssuesFromColumn(ctx context.Context, b *project_model.Column) (IssueLi
}
// LoadIssuesFromColumnList load issues assigned to the columns
func LoadIssuesFromColumnList(ctx context.Context, bs project_model.ColumnList) (map[int64]IssueList, error) {
func LoadIssuesFromColumnList(ctx context.Context, bs project_model.ColumnList, doer *user_model.User, org *org_model.Organization, isClosed optional.Option[bool]) (map[int64]IssueList, error) {
issuesMap := make(map[int64]IssueList, len(bs))
for i := range bs {
il, err := LoadIssuesFromColumn(ctx, bs[i])
il, err := LoadIssuesFromColumn(ctx, bs[i], doer, org, isClosed)
if err != nil {
return nil, err
}
@ -160,3 +169,36 @@ func IssueAssignOrRemoveProject(ctx context.Context, issue *Issue, doer *user_mo
})
})
}
// NumIssuesInProjects returns the amount of issues assigned to one of the project
// in the list which the doer can access.
func NumIssuesInProjects(ctx context.Context, pl []*project_model.Project, doer *user_model.User, org *org_model.Organization, isClosed optional.Option[bool]) (map[int64]int, error) {
numMap := make(map[int64]int, len(pl))
for _, p := range pl {
num, err := NumIssuesInProject(ctx, p, doer, org, isClosed)
if err != nil {
return nil, err
}
numMap[p.ID] = num
}
return numMap, nil
}
// NumIssuesInProject returns the amount of issues assigned to the project which
// the doer can access.
func NumIssuesInProject(ctx context.Context, p *project_model.Project, doer *user_model.User, org *org_model.Organization, isClosed optional.Option[bool]) (int, error) {
numIssuesInProject := int(0)
bs, err := p.GetColumns(ctx)
if err != nil {
return 0, err
}
im, err := LoadIssuesFromColumnList(ctx, bs, doer, org, isClosed)
if err != nil {
return 0, err
}
for _, il := range im {
numIssuesInProject += len(il)
}
return numIssuesInProject, nil
}

14
models/project/column.go
View file

@ -57,20 +57,6 @@ func (Column) TableName() string {
return "project_board" // TODO: the legacy table name should be project_column
}
// NumIssues return counter of all issues assigned to the column
func (c *Column) NumIssues(ctx context.Context) int {
total, err := db.GetEngine(ctx).Table("project_issue").
Where("project_id=?", c.ProjectID).
And("project_board_id=?", c.ID).
GroupBy("issue_id").
Cols("issue_id").
Count()
if err != nil {
return 0
}
return int(total)
}
func (c *Column) GetIssues(ctx context.Context) ([]*ProjectIssue, error) {
issues := make([]*ProjectIssue, 0, 5)
if err := db.GetEngine(ctx).Where("project_id=?", c.ProjectID).

14
models/project/issue.go
View file

@ -34,20 +34,6 @@ func deleteProjectIssuesByProjectID(ctx context.Context, projectID int64) error
return err
}
// NumIssues return counter of all issues assigned to a project
func (p *Project) NumIssues(ctx context.Context) int {
c, err := db.GetEngine(ctx).Table("project_issue").
Where("project_id=?", p.ID).
GroupBy("issue_id").
Cols("issue_id").
Count()
if err != nil {
log.Error("NumIssues: %v", err)
return 0
}
return int(c)
}
// NumClosedIssues return counter of closed issues assigned to a project
func (p *Project) NumClosedIssues(ctx context.Context) int {
c, err := db.GetEngine(ctx).Table("project_issue").