forgejo

mirrors

forgejo

mirror of

Fork 0

Commit Graph

Author	SHA1	Message	Date
forgejo-backport-action	c2158b2a1f	[v10.0/forgejo] fix: consider public issues for project boards (#7144 ) Backport: https://codeberg.org/forgejo/forgejo/pulls/7143 - The security patch of forgejo/forgejo#6843 fixed the issue where project boards loaded all issues without considering if the doer actually had permission to view that issue. Within that patch the call to `Issues` was modified to include this permission checking. - The query being generated was not entirely correct. Issues in public repositories weren't considered correctly (partly the fault of not setting `AllPublic` unconditionally) in the cause an authenticated user loaded the project. - This is now fixed by setting `AllPublic` unconditionally and subsequently fixing the `Issue` function to ensure that the combination of setting `AllPublic` and `User` generates the correct query, by combining the permission check and issues in public repositories as one `AND` query. - Added unit testing. - Added integration testing. - Resolves Codeberg/Community#1809 - Regression of https://codeberg.org/forgejo/forgejo/pulls/6843 Co-authored-by: Gusted <postmaster@gusted.xyz> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7144 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org> Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>	2025-03-07 00:51:07 +00:00
Gusted	3b4f1b3469	fix(sec): add tests for private issues on projects - Add integration and unit tests to ensure that private issues on projects are not shown in any way, shape or form when the doer has no access to it. (cherry picked from commit 55dcc1d06cb12ddb750a0289fbb6e212f93957a8)	2025-02-08 06:06:06 +00:00

Author

SHA1

Message

Date

forgejo-backport-action

c2158b2a1f

[v10.0/forgejo] fix: consider public issues for project boards (#7144 )

**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7143

- The security patch of forgejo/forgejo#6843 fixed the issue where project boards loaded all issues without considering if the doer actually had permission to view that issue. Within that patch the call to `Issues` was modified to include this permission checking.
- The query being generated was not entirely correct. Issues in public repositories weren't considered correctly (partly the fault of not setting `AllPublic` unconditionally) in the cause an authenticated user loaded the project.
- This is now fixed by setting `AllPublic` unconditionally and subsequently fixing the `Issue` function to ensure that the combination of setting `AllPublic` and `User` generates the correct query, by combining the permission check and issues in public repositories as one `AND` query.
- Added unit testing.
- Added integration testing.
- Resolves Codeberg/Community#1809
- Regression of https://codeberg.org/forgejo/forgejo/pulls/6843

Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7144
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>

2025-03-07 00:51:07 +00:00

Gusted

3b4f1b3469

fix(sec): add tests for private issues on projects

- Add integration and unit tests to ensure that private issues on
projects are not shown in any way, shape or form when the doer has no
access to it.

(cherry picked from commit 55dcc1d06cb12ddb750a0289fbb6e212f93957a8)

2025-02-08 06:06:06 +00:00

2 Commits