git724/forgejo

Fork 0

Commit graph

Author SHA1 Message Date

Author	SHA1	Message	Date
Gusted	c1e9fd738b	fix: consider issues in repository accessible via `access` table (#7270 ) Some checks are pending testing / backend-checks (push) Waiting to run Details testing / frontend-checks (push) Waiting to run Details testing / test-unit (push) Blocked by required conditions Details testing / test-e2e (push) Blocked by required conditions Details testing / test-remote-cacher (redis) (push) Blocked by required conditions Details testing / test-remote-cacher (valkey) (push) Blocked by required conditions Details testing / test-remote-cacher (garnet) (push) Blocked by required conditions Details testing / test-remote-cacher (redict) (push) Blocked by required conditions Details testing / test-mysql (push) Blocked by required conditions Details testing / test-pgsql (push) Blocked by required conditions Details testing / test-sqlite (push) Blocked by required conditions Details testing / security-check (push) Blocked by required conditions Details / release (push) Waiting to run Details - Consider the following scenario: a private repository in an organization with a team that has no specific access to that repository. Members of that team are still able to visit the repository because of entries in the `access` table. - Consider this specific scenario for the gathering of issues for project tables. - Unit test added - Resolves forgejo/forgejo#7217 - Ref: forgejo/forgejo#6843 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7270 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Reviewed-by: 0ko <0ko@noreply.codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz> (cherry picked from commit `72ee7f3b00`)	2025-03-19 16:46:20 +00:00
forgejo-backport-action	c2158b2a1f	[v10.0/forgejo] fix: consider public issues for project boards (#7144 ) Backport: https://codeberg.org/forgejo/forgejo/pulls/7143 - The security patch of forgejo/forgejo#6843 fixed the issue where project boards loaded all issues without considering if the doer actually had permission to view that issue. Within that patch the call to `Issues` was modified to include this permission checking. - The query being generated was not entirely correct. Issues in public repositories weren't considered correctly (partly the fault of not setting `AllPublic` unconditionally) in the cause an authenticated user loaded the project. - This is now fixed by setting `AllPublic` unconditionally and subsequently fixing the `Issue` function to ensure that the combination of setting `AllPublic` and `User` generates the correct query, by combining the permission check and issues in public repositories as one `AND` query. - Added unit testing. - Added integration testing. - Resolves Codeberg/Community#1809 - Regression of https://codeberg.org/forgejo/forgejo/pulls/6843 Co-authored-by: Gusted <postmaster@gusted.xyz> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7144 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org> Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>	2025-03-07 00:51:07 +00:00
Gusted	3b4f1b3469	fix(sec): add tests for private issues on projects - Add integration and unit tests to ensure that private issues on projects are not shown in any way, shape or form when the doer has no access to it. (cherry picked from commit 55dcc1d06cb12ddb750a0289fbb6e212f93957a8)	2025-02-08 06:06:06 +00:00

Gusted

c1e9fd738b

fix: consider issues in repository accessible via access table (#7270 )

testing / backend-checks (push) Waiting to run

Details

testing / frontend-checks (push) Waiting to run

Details

testing / test-unit (push) Blocked by required conditions

Details

testing / test-e2e (push) Blocked by required conditions

Details

testing / test-remote-cacher (redis) (push) Blocked by required conditions

Details

testing / test-remote-cacher (valkey) (push) Blocked by required conditions

Details

testing / test-remote-cacher (garnet) (push) Blocked by required conditions

Details

testing / test-remote-cacher (redict) (push) Blocked by required conditions

Details

testing / test-mysql (push) Blocked by required conditions

Details

testing / test-pgsql (push) Blocked by required conditions

Details

testing / test-sqlite (push) Blocked by required conditions

Details

testing / security-check (push) Blocked by required conditions

Details

/ release (push) Waiting to run

Details

- Consider the following scenario: a private repository in an organization with a team that has no specific access to that repository. Members of that team are still able to visit the repository because of entries in the `access` table.
- Consider this specific scenario for the gathering of issues for project tables.
- Unit test added
- Resolves forgejo/forgejo#7217
- Ref: forgejo/forgejo#6843

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7270
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
(cherry picked from commit 72ee7f3b00)

2025-03-19 16:46:20 +00:00

forgejo-backport-action

c2158b2a1f

[v10.0/forgejo] fix: consider public issues for project boards (#7144 )

**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7143

- The security patch of forgejo/forgejo#6843 fixed the issue where project boards loaded all issues without considering if the doer actually had permission to view that issue. Within that patch the call to `Issues` was modified to include this permission checking.
- The query being generated was not entirely correct. Issues in public repositories weren't considered correctly (partly the fault of not setting `AllPublic` unconditionally) in the cause an authenticated user loaded the project.
- This is now fixed by setting `AllPublic` unconditionally and subsequently fixing the `Issue` function to ensure that the combination of setting `AllPublic` and `User` generates the correct query, by combining the permission check and issues in public repositories as one `AND` query.
- Added unit testing.
- Added integration testing.
- Resolves Codeberg/Community#1809
- Regression of https://codeberg.org/forgejo/forgejo/pulls/6843

Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7144
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>

2025-03-07 00:51:07 +00:00

Gusted

3b4f1b3469

fix(sec): add tests for private issues on projects

- Add integration and unit tests to ensure that private issues on
projects are not shown in any way, shape or form when the doer has no
access to it.

(cherry picked from commit 55dcc1d06cb12ddb750a0289fbb6e212f93957a8)

2025-02-08 06:06:06 +00:00

3 commits