77db7655e0
The web route to update and delete variables of runners did not check if the ID that was given belonged to the context it was requested in, this made it possible to update and delete every existing runner variable of a instance for any authenticated user. The code has been reworked to always take into account the context of the request (owner and repository ID).
73 lines
2.2 KiB
Go
73 lines
2.2 KiB
Go
// Copyright 2023 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package actions
|
|
|
|
import (
|
|
actions_model "code.gitea.io/gitea/models/actions"
|
|
"code.gitea.io/gitea/models/db"
|
|
"code.gitea.io/gitea/modules/log"
|
|
"code.gitea.io/gitea/modules/web"
|
|
actions_service "code.gitea.io/gitea/services/actions"
|
|
"code.gitea.io/gitea/services/context"
|
|
"code.gitea.io/gitea/services/forms"
|
|
)
|
|
|
|
func SetVariablesContext(ctx *context.Context, ownerID, repoID int64) {
|
|
variables, err := db.Find[actions_model.ActionVariable](ctx, actions_model.FindVariablesOpts{
|
|
OwnerID: ownerID,
|
|
RepoID: repoID,
|
|
})
|
|
if err != nil {
|
|
ctx.ServerError("FindVariables", err)
|
|
return
|
|
}
|
|
ctx.Data["Variables"] = variables
|
|
}
|
|
|
|
func CreateVariable(ctx *context.Context, ownerID, repoID int64, redirectURL string) {
|
|
form := web.GetForm(ctx).(*forms.EditVariableForm)
|
|
|
|
v, err := actions_service.CreateVariable(ctx, ownerID, repoID, form.Name, form.Data)
|
|
if err != nil {
|
|
log.Error("CreateVariable: %v", err)
|
|
ctx.JSONError(ctx.Tr("actions.variables.creation.failed"))
|
|
return
|
|
}
|
|
|
|
ctx.Flash.Success(ctx.Tr("actions.variables.creation.success", v.Name))
|
|
ctx.JSONRedirect(redirectURL)
|
|
}
|
|
|
|
func UpdateVariable(ctx *context.Context, ownerID, repoID int64, redirectURL string) {
|
|
id := ctx.ParamsInt64(":variable_id")
|
|
form := web.GetForm(ctx).(*forms.EditVariableForm)
|
|
|
|
if ok, err := actions_service.UpdateVariable(ctx, id, ownerID, repoID, form.Name, form.Data); err != nil || !ok {
|
|
if !ok {
|
|
ctx.JSONError(ctx.Tr("actions.variables.not_found"))
|
|
} else {
|
|
log.Error("UpdateVariable: %v", err)
|
|
ctx.JSONError(ctx.Tr("actions.variables.update.failed"))
|
|
}
|
|
return
|
|
}
|
|
ctx.Flash.Success(ctx.Tr("actions.variables.update.success"))
|
|
ctx.JSONRedirect(redirectURL)
|
|
}
|
|
|
|
func DeleteVariable(ctx *context.Context, ownerID, repoID int64, redirectURL string) {
|
|
id := ctx.ParamsInt64(":variable_id")
|
|
|
|
if ok, err := actions_model.DeleteVariable(ctx, id, ownerID, repoID); err != nil || !ok {
|
|
if !ok {
|
|
ctx.JSONError(ctx.Tr("actions.variables.not_found"))
|
|
} else {
|
|
log.Error("Delete variable [%d] failed: %v", id, err)
|
|
ctx.JSONError(ctx.Tr("actions.variables.deletion.failed"))
|
|
}
|
|
return
|
|
}
|
|
ctx.Flash.Success(ctx.Tr("actions.variables.deletion.success"))
|
|
ctx.JSONRedirect(redirectURL)
|
|
}
|